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Introduction: 


Thank you fur purchasing this technical Rook about configuring Cisco ASA Flruwall^ 1 lii'liFtly hoLluvc 
that you have made an Important step towards your career in network security, which is a last 
developing and Mfldtlng field in thE networking area. 

Information Security threats arc on tile rise, anti although several products anti technologies IlSVC 
t^een developed to mitigate these threats, the long-proven and trusted hardware firewall is still the 
heart of security for any network. Firewall administrators and designers are therefore in high 
demand. Cisco has a large market share in the hardware firewall market, SO lay learning, HUlfigUi c 
and implement one of the best firewall appliances you are guaranteed a successful career ill this 

field. 

This Book is the result of my working experience with the Cisco Adaptive Security Appliance [ASA), 
and summarizes the most important features and, most frequent configuration scenarios that a 
security engineer will encounter in real world networks. I have tried lo "squeeze ' 1 the vast volume 
of information about Cisco ASA firewalls into a handy, directly applicable book that will get you on 
track right away. You can use this Book in conjunction with other documentation resources or as a 
reference- guide for the most common configuration concepts of the Cisco ASA lirewall, 

This Third Edition of the bonk is completely updated, to cover the latest ASA version 9.x. All 
configuration commands, features etc will work on the newest ASA 9.x (in addition to older 8 -x 
versions) and also oa the newest A$A SSDO-X models, This updated book Edition includes also 
extensive new content, making it one of the most complete ASA hooks available in the market. I 
believe that the Third Edition book will be a valuable resource for both beginners and experienced 
ASA professionals. 

For any questions that you may have or clarifications about the information presented in this Hook 
please contact me at: ad m i n <g) n etw 0 rkst rninm 3 r.com 

Have fun reading my Book. I hope it will be a valuable resource for you. 
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Chapter 1 Getting Started With Cisco Firewalls 
1.1 User Interface 


This lesson describes the access modes and commands asseverated with the up ur.it I cm of Cisco A-SA 
security appliances, W* assume that you know how tq connect to the appliance using a console 
cable {the blue flat cable with Kj-45 on one end, and DL!■ *? Seri jJ on the other end] and a Terminal 
Emulation software [e.g Hype (Terminal! or Putty), and. how 10 use basic Command Line interface, 

1*1.1 Security Appliance Access Modes 

A Cisco security appliance [PI X or ASA) has four main administrative access modes! 


Momtqr Mod ^ Displays the monitor^ prompt A special mode that enables you to update 
the image over the network or to perform password recovery While In the monitor mode, 
you can enter commands to specify the location ofa TFTP server and the location off Fie 
software image orpassword recovery binary image fife to download, You access this mode 
by pressing the * Break" or "ESC' keys immediately after powering up the appliance. 

* UnprtTfl * ged Mod * D, *P ] ays the > prompt. Available when you first access the appliance. 
If the appliance is a Cisco P| X 500 series, the prompt for unprivileged mode is pixflitwnll* 
and I ("the appliance is the fteiv Cisco ASA 5500 Series, the prompt is riscoosa> 

This mode provides restricted view of the security appliance. You cannot configure 
anything from this mode. To get started with configuration, the first command you need to 
know is the enable command. Type enable and hit Enter, The initial password is empty, 50 
hlt hntfrr Co nwve on the nest access mode (Privileged Mode). 


dsconsa> enable 
password: 
ciseoasa ti 


Unprivileged Mode 

*■ Eni * r a Password litre [initially Hu blank) 
Privileged Mode 


• Privileged Mode; Displays the # ornirmt _ 

unp 

coni 

you 

leilT . " «ui me rnvjJeged Mode. 
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Configuration Mode; This mud* dsspJays the (conflgl# P™^P £ En.ihlet. yuU to change 
system configuration setting. Use exit from each mode to retL.ro 10 the P ^ vloU5 


c)5COasa> enabie 
password: 

ciscoasaif configure terminal 
c ist: oa safe o n fig} # 
ciscoasafconfig]# exit 
cEscoasai* exit 
dstoasa> 


4 r Uriprivileged Mode 

+ Enter a password here tiollially !lshlaT,kl 

<- privileged Mode 

4r Configuration 

<- Back to privileged Mode 
Back to Unprivileged Mode 


The (con fig) # mode is sometimes called Global Con figu rati on Mode. Sima 
com mar ds from th is mode en ter a command-specific mode an d the prom pt chang' 
For example the interface command enters interface configuration mode as sbowt 


ciscoasafconfig)# interface GigabitEthernetO/i 

[:iscoasa(conrtr,-lf]« <- Configure lrt*r&« specific parameters 


1.2 File Management 

This lesson, describes the file management system in the security appliance. Each ASA device 
contains flash memory and also RAM which is used to store the currently running configuration 

1.2,1 Viewing and saving your configuration 

There are two configuration instances in the Cisco security appliances: 

« runnlng*eon figuration [stored in RAM} 

* sta rtup- con figu ra t ic n (stored i n Fiash} 


The first one (running-configuration} is the one currently running on the appliance, and its stored 
in the RAM of the firewall. You can view this configuration by typing (in Privileged Mode): 
ristoasa# show running-config 
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Any command that you enter in the firewall is directly written in the rtinnlng-conflg and lal<C! . 
immediately. Since the runnlng*COnllg is written in the RAM memory, if the appliance loses p 0WjJr { 
will tose also any conflation changes that were not previously avert. 

To save the currently running configuration. use the command: 
clscoasatf copy run start 
or 

d-icoasa ft write memory 

The above two commands copy the runningcotiflg into the startup-con fig. 

As mentioned above, the startup configuration is the backup configuration of the running one. It 
is stored In Flash Memory, so it is not lost when the appliance is rebooted. Also, the startup- 
con figuration is the one which is loaded when the appliance boots-up. To view the stored startup* 
configuration type show startup-config. 


1*3 ASA image Software Management 


The ASA image is basically the operating system of the appliance. It is like the EOS used in Cisco 
Routers. When we refer to ASA software version 8.x, 9.x etc we mean the version of the image 
software. 


The AS A (mage is a compressed binary file and it's pre-installed on the flash of the device, The 
image gets decompressed Into RAM when the appliance boots-up. For example an ASA image 
filename looks 1 i ke 'a sa 911 hS.bl it H . 


the stpsbdow^ 1 ^ ^ t0 ^ A$A for upgrading the existing software version), follow 


Slept: Setup a TFTP .Server 


First copy the, ASA ima S e ^ ™ a TFTP server computer. Assume that 
server located on the inside network with IP address 192.168*1.10 


we have already a TFTP 
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>Ui Com 1 Imnvi* lilt 1 from TFTP to T tasb of ASA 

clscoasnW copy tftp flash 

Address or name of remote host []? 19 , Z.i&0.1.1b 

(Jointfl filename |]7nsa^l i-k(Uiiii 

LkvUrwtton filename ir Hit Enter 

Accessing tftp://i92,168>1.10/a3a9ii-ka.birt....... 

Sirti3; SVt cho new Imam* file as boot system file 

cihwisj#c<iii(ig Ifitit 

dsenasafeonfig}# bool system f]ash:/a$a91 1-kS.bin 
tlJCoMtt[conflg)J# write memory 

After rebooting the appliance. the new software image will be asa911 'k8.bin 

1*4 Password Recovery Procedure 

If for any reason you a re lacked out of a n ASA appliance and yon don t t em c mber the P a '- 
log-lll, then you need to follow the password recovery procedure below. 


step i t ■ \ 

Connect with a console table to the ASA and power^cyde the device [switch it OFF and ON a & a 

Press continuously the "ESC" key on your keyboard until the device gets into ROMM.ON mode. This 
mode shows the following prompt: 

rommon # 1 > 

5 if |*3: 

Now we need to change the configuration register" which is a special register controlling now 
the device bouts up etc, 

rommon #l>confrcg 

The security appliance displays the current configuration register value, and asks if you want to 
change the value. Answer no when prompt. 
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Current Ctmfiftr""****" 

Cttnfifturtitifrti i 
bool TFTf tine 
Ihi you wiati to 


'GAtmmn 



{t\mh on ntlbmiLffilhiW 



common fl2>cfinfrefl 0x4 \ 


ronimon /)3>bool 


Stvifr 

How the ASA will Ignnre 


Its startup conflRuratJon and: boot up without asking fora pawned 


£hco3S3>enal>le 

passwords <Hit Enter* 

dscoasaA 



clscoasa# copy shirtyp-qonflg rylining conng 
Destination filename [runnSng-confte]? -^hit Enter* 

Stfn?; 

Now configure a new privileged level password (enable password] anti also reset Nie con Figuration 
register Eo Its original value (0*01] 

dscoasatfcojiflerm 

rlscflasa£cmiflg)tl enable password slrongpass 
clscon5aC^onI3g]iS conflg-register 0x01 
ctecoasafcontigJM wr mem 

Stepfi; 

Reload the appliance. Now you should be able to log In with the new password. 
ch<oasa(conng)N reload 
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1.5 Security Levels 


this lesson [Inscribes the security lewis concept as used <In the ASA firewall appliance. 

A seeudty Level is assigned ta interfaces (cither physical or logical suborner face ) 
a number from 0 to 100 descaling how trusted an Interface Is relative to 
appliance, .he higher the,eo.ty We, the .ore — the 

connected behind it) is considered to be, relative to another interface. ^ levels' 

represents a specific network (or security zone), by using security love s Cd - 
to our security zones. The primary rule for security levels is that an interface ( an 

higher security level can access an interface with a lower security level. On the ° * r ^ vv - thout 
interface with a lower security level cannot access an interface with a higher Y 

the explicit permission of a security rule (Access Control List - ACL]. 


1.5,1 Security Level Examples 

Let us see some examples of security levels below: 

. Security Level 0- This is the lowest security level and itt* assigned by default 
'Outside' Interface of the firewall. It is the least trusted security level and 
assigned accordingly to the network [interface] thatwe don't want it to have any access to 
our internal networks. This security level is usually assigned to the interface connected to 
the internet. This means that every device connected to die Internet can not have access 
to any network behind the firewall unless explicitly permitted by an ACL rule. 

. Security l evels 1 to 99: These security levels can be assigned to perimeter security 
zones (e.g. UMZ Zone. Management Zone, Database Servers Zone etc], 

. Security Level 100: Thins the highest security level and it is assigned by default to the 
'Inside' interface of the firewall. It is the most trusted security level and roustbe assigned 
accordingly to the network (interface) that we want to apply the most protection from the 
security appliance. This security level is usually assigned to the interface connecting the 
Interna] Corporate network behind it 
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pMZNfl jgfld* 



Arrows in the diagram represent the flow of traffic. As you can see. the Inside Zone can access both 
DMZ and Outside Zones (Security Level 100 can access freely the Security Levels 50 and 0). The 
DMZ Zone can access only the Outside Zone (Security Level 50 can access Level 0), but not the 
Inside Zone. Lastly, the Outside Zone cannot access either the Inside or the DMZ zones. 

What is described in the example above Is the default behavior of the Cisco ASA Firewalls. We can 
override the default behavior and allow access from Lower Security Levels to Higher Security 
Levels by using Static NAT (only if required) and Access Control Lists, as we will see in the next 
chapters of this book. 
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1,5.2 Rules for Traffic Flow between Security Levels 


Traffic from Higher Security Level to Lower Security Level; Allow ALL traffic ot > L 
(tom the JtlgharSecurlty Level unless specifically restricted by a" Access Ccmtr ^ 

jf PfAT-Control is enabled on the device, then there must be a nat/global transit l 1 
between High-to-Low Security Level interfaces, Uul£ : command is n 

in ASA versions 8.3 and later (more on this later). 

Traffic from Lower Security Level to Higher Security Level’ Drop ALL trafft 
specifically allowed by an ACL. IfN AT-Control is enabled on the device (more on tins at 
then there must be a Static NAT between High-to-Low Security Level iiitc.t £ 

Traffic between Interfaces with same Security Level; By default this is not 
unless you configure the same-security- traffic permit Inter-interface command ( 
version 7,2 and later). 


1.6 Basic Firewall Configuration 

The following configuration commands constitute the basic steps for setting up the secui ity 
appliance from the ground up; 


* STEPT Configure a privileged level passwo rd Tenable password! 

By default there is no password for accessing the ASA Firewall, so the first step before doing 
anything else is to configure a privileged level password, which will he needed to allow subsequent 
access to the appliance. Configure this under Configuration Mode: 

cisconsa(tonfig)# enable password mysecretpassword 

* STEP2; Enable Remote Command Line Manage nieiiiT 
Yon can access the security appliance remotely for Command Line Interface management (CLI) 
using either Telnet or SSH, and for Web-based graphical management using HTTPS (A$DM 
management). It is recommended to use S$H for CL! management si nee all communication with the 
firewall will he encrypted, compared with using Telnet which is not encrypted. To enable SSH on 


1 ? 
















i A.-'tt to create a (isername/paM worrf for ^^tlientic^tion, then genera^ 
ll " n ™"J"'' k , y;) „ in<la i 3 ^ S ped(ym E !P^ re «» f th„ managem8nrh0St/tietWt ^ 


15 


Irttww u VMVQ"* *WWittiiM J5is rflL> Mg h*3t privilege level for a user: 

^rtf/NUif^nafr fw C0i,m ' c "^raadmin password adfntopasswcrd privilege 

,J coli svie LOCAL 

r ih^r n-wall wh ifli is rt*qu 1 red for 55H 

K*ypalrgfloerstlon procsss begin, PI™* 4 w2lt 
dSfOOSafnMifJg)# 

r wry Die hosts allowed to connect to the sccurjV ^ am 

riscoasa (conftg) 4ss h 10.1,1,1 2S 5,255.2 S5.Z “ * , d 

clscOl»a(confleJ#ssh 200,200.2(10,1 2SS.25S.2SS.2S5 out^de 


* S'lTPJtConfif i 1 ^ n Firpwjill Hostname 
The default hostname for Cisco ASA appliances is ciscoasa, and for the* Cisco PIX appliance is 
p lx (Irewal I,1t is advisable to configure a u rtit|ue hostname for a new li.rewa 11 so th a t you ca n 
differentiate it from other firewalls that you may have in the network. 


ciscoosnfccinflgjif hostname NcwYdrk-FW 
New York- FtVfeonng) if 

Notice how the CLI prompt has changed to the new Hostname that you Just configured, 

■ -STKP4: Configure Interface Comma rets 
The Cisco ASA interfaces are numbered os Gigabitlithernettl/O, GigabitEthernetO/l, 
Cig.ihitLtiiernct(]/2 etc (forCisco ASA 5510 model the interfaces are numbered as Etherne0/0, 
Ethcmetfl/1 etc). The "Interface" command will put you Into a special configuration mode for the 
Interface you specify (interface configuration inode), and then allow you to configure other 

interswlmmnantls inside the interface mode. For Cisco ASA 5505, the interface commands 
are configured under the “Interface Wan x“ mode. 


ciscoasafeonflg) ft tnterfa ce GIgabi t Ethe met 0 
'iHM»(CM4rlQ# <r ConRgurt Interface specific .ub-eommands 

M fls«i ASA 550 "■ 


cbcMsatwadriP |„, erft « Vlsn r WM „ urail „, 

■H«M»(ann s .iq# «. 


IQ 


■commands 









ThcatmluMtrn £ «Bary Inter!.™ SuH-cummandstl^tyou nredtofar, ie»r 
Inter!*. to ja® t™»= »™ U» followl» S t 

o nanatr Mnrf-= Asslen*•>«■"«“ »" ' n . dna4 w llle iMerfec. 

o Jp address "si/A/ie^maS* - : Ass'gns a J 

O security level l» iOST ! Assigns a security levd tu J * 

„ nAC h..rcinwn : Uv default all interfaces are shut down, so en a 


m . cun figuration snapshot below shows all necessary interface sub-commands. 


dscoasafconfle)# interface ClgabitEkhernetll/i 
cfscoasa (canflg-i Q# na m elf inside 

ciscoasa[conflg-ll}# jp address 10,0.0,1 255,255.£55.0 
dscoasafeonfig-tf)# security-level 100 By default his id 
tj scoasa (cb» fig-f f) tt no shutdown 


e 1 * interface is sec-level 100 


clscoasa(conflg)ft interface GEgabitEthernetO/O 
dscoasa(config-l I) rf name!f outsi de 

dscoasa(config'il)tf Ip address 10:1,1,1 2S5.255,255.0 wolerol 0 

dscoasatconllg if)^ s^rlty-level 0 Uydefault"outiide mterfs 

ciscoasa(config-if)# no shutdown 


. STEPJ5; Configure NAT Control as »^ded fThls is for versions lower tliam 3*1 
Another important configuration Step is nat-control, NAT {Network Address Translation) w 
mandatory configuration In older Cisco FIX f rewalls (PIX version 6 ,m) but with ASA Firewalls it 
pot Nat'Control {which is disabled by default) specifies whether or not the security appliance will 
enforce address hiding [i t address translation) to ALL traffic passing from a high security level to □ 
lower one. If you stay with the default configuration (le nat-control disabled), this will allow you 
to apply NAT (address hiding) to only selected traffic as you require. If you enable nat-control 
(using the command: asa[config)#nat control} then you MUST have a NAT rule for ALL traffic 
passing from a high security interface to a lower security interface. The NAT rule must match a 
corresponding "global' command (more on NAT later). With the default configuration (nat-control 
disabled) the ASA passes traffic between interfaces with no need to configure any NAT statements. 
You just need to have the proper Access Control Lists applied on each interface to enforce traffic 
How policies. 

NOTE : From ASA version 3,3 and later, “nat-control" and ' global' commands are no longer 
supported. 
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STf; l r (fi ConllEiHg ronrIrrg 





although dynamic routing protocols (RIP, OSPF, EfGRPj can be configured alw, My 
recommendation is to use only default or static routing and avoid dynamic protocols in small 
networks. However dynamic routing protocols on the ASA are also useful in larger and complex 
networks. More on dynamic routing protocols In a later Chapter, 

Use the route command to enter either a static or default route for an interface.The commend 
format is: 

clseoa¥a(c:onfigJtt route "interface-name* "destlnation-fp^Qddresf* "netrnask" 'gateway - 
bet's see art example configuration belowr 

ciscoasa[conflg)H route outside 0,0.0.0 0.0.0.0 lDQ.l.i.l 4 - Default Route 
rfSCOasa(conflg)# mute Inside 192,168.2.0 255,255.255,0 102,160.1.1 ^Static Route 
required on ASA to reach network 192,160.2,0 via gateway 192.168,1.1 

For the default route (usually towards the Internet], you set both the destination-ip-addressand 
netmosk to 0,0.O.O. Create also static routes to access specific known networks beyond the locally 
connected networks, as shown on the diagram above. 

The routing configuration concludes the "Minimum Mandatory- steps needed for the security 
appliance to become operational. Next we will get into more details for further configuration 
features that will enhance the security of the networks protected by the firewall 
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Chapter 2 Configuring Network Address Translation 

[ t |ii S chapter we will talk about a very important security mechanism that has to do with II 1 
hliTSs translation (address h idling), its different types, and how the firewall appliance handles I he 
t n ns] it ion mechanisms. From Cisco ASA version 83 and later, the Network Address Translation 
(NAT) conflguration has been completely redesigned to allow for greater flexibility. In this Chapter 
ill describe Network Translation for versions prior to 8,3 and for versions 8.3 and later as well. 


NOTE for & 11 the NAT scenarios that will follow below, when we say “ASA Versions 8.3 amt Later' 
it includes also ASA versions 9.x, 


2.1 Network Address Translation (NAT) Overview 

The depletion of the public Ipv-t address space has forced the Internet Community to think about 
alternative ways of addressing networked hosts. NAT therefore was created to overcome these 
addressing problems that occurred with the expansion of the Internet, 

Some of the advantages of using NAT in IP networks are the following; 

* NAT helps to mitigate global public IP address depletion. 

* Networks ca n use the RFC 1918 pri vatc add rqss space i nter nal ly. 

* NAT increases security by hiding the internal network topology and addressing 

The figure below shows a basic topology with an "inside” network for which the ASA Firewall 
performs a NAT operation to translate the “inside" address into an “outside” address, thus hiding 
the internal IP range. Note that the translation is usually applied to the "source" IP address of the 

packets. 
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The above is an example of dynamic WAT which is always used h>r LMJTBOUND traffic that is, tr^ c 
from an internal network (higher security level) towards an outside network (lower security level), 
In the figure above, traffic from the host with private IP address 192.168.1,1 is translated into a 
public, routable address, 100.1,1.2 in order to be routed towards the Internet Now, the reply 
packets from the Internet hack to our internal host will have as destination adds ess the IP lOO.l.i.j, 
for which the Firewall already has a translation rule established. The firewall will then translate the 
public address 100.1.1.2 back into 192.168,1.1 and deliver it to the internal host The nat“ and 
"globar commands work together (versions prior to 8-31 to create the translation rules which 
enable your internal network to use any IP addressing scheme and at the same time remain hidden 
from the outside world. 

Let's see some terminology that will he used in this Chapter: 

* Real IP ad dress/Interface: The Real IP address is the address which is actually configured 
on the host (the untranslated address). From our example diagram above, the Real IP 
address is 192.160.1,1 and the Real Interface is the Inside ASA interface, 

* Mapped ip address/interface: The mapped IP address is the address that the Real 
address is translated to. From our example diagram above, the Mapped IP address is 
10(3,1,1,2 and the Mapped Interface is the Outside ASA interface, 


Cisco ASA firewalls support four types of address translations: 

. Dynamic WAT translation : Translates source addresses on higher securiiy interfaces into 
a range (or pod) of 1P addresses on a less secure interface, tor outbound connections. The 
' naf command defines which interne! hosts w„l be translated, and the -global’ command 

™ Pi1Wt0811 deR '“ S (mapped addresses) on the outgoing 

interface. Dynamic NAT is used tor outbound communication only 


22 


















njjnmf ^ rl It ■ arij IiiiJjMUMl 'l This catM "Many -to- One " 

Translation. A Biro# of Real IPaddrciscSiirfl mappml to a Single IP address using a unique 
source port of that address, 

■ f WA rrr^nslatiuw Provides a pr<rm*inMiL f Ofl^hHfnv <uUr««s mapping between a 
j jp address and a Mapped IP address. T ho Ileul IP jsIimiIU lie on a higher security 
interface and the Mapped IP on a lower ston ily Interfax WHii the appropriate Access 
Control List (ACL], static NAT allows hosts tin a Jl*s secure Interface (e g Internet] to 
access hosts oil a higher security Interface (eg Web Server on DMZ] without exposing the 
actual IP address of the host on the higher security Interface* Static NAT Is used for 
Bidirectional communication, 

* identity NAT : Identity NAT lets you translate a Heal IP address to itself, essentially 

bypassing NAT. Identity NAT is useful in VPN Configuration where we need to exempt VPN 
traffic from the NAT operation. 

2.1,1 Configuring Dynamic NAT Translation 

Cisco ASA Versions prior to 8.3 

In this section we will describe Dynamic NAT translation with several scenarios. Dynamic NAT is 
implemented using a combination of two commands: "nat" and "global”. The Real IP network to be 
translated is defined by the "nat” command and the Mapped IP pool that will be used for translation 
is defined by the "global" command. The format of the "nat" and "global” commands as used in 
Dynamic NAT Is shown below: 

dscoasa(config)tt nat (Realjnterface^name) “nut-id"“internal network IP subnet" 
cisenasa(config) ft global [Mapped_interface„name} “nat-id" “ external IP pool range~ 

Cisco ASA Versions 8,3 and later 

In Cisco ASA version 8,3 (announced on March 8, 2010], the NAT configuration has been completely 
changed. The "nationtrol", "static” and '‘global” commands are not available anymore. Also, the 
new version's syntax uses the ,r nat” command differently as we will describe below. If you are 
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. „ 8 , a » andy » «»«’ 101 “ W "*'«*' *»iS > „ 
running = version fl- u,« M» ^£ w models SS05. MW **» *««• «W 

M M. —» «** ,!alS ° r ! dW N aT statement.«" *»™ 

upgrading there will be a ■niff 4 ** 011 



.1 thu ASA firewall Implements NAT in two „ 

j, .QiverJi™'' 

In versions B.3 and later (Including • 

• efivtfrJf object ftA T 
'Twice SA T 




wA r instead of "Twice NAT bemuse Is casl w [o 
Cisco recommends using'Network object ^ hand is more scalable and has some e«, a 

configure and more reliable. Twice N AT on hi this Chapter we will foot* only 0I1 

features bat is more cample* than network object 


Network Object WAT. 

2.1.U UOtj'Ct SAT conflation 

orb object The network object itself defines the Ryjjj 

Basically you configure NAT under a neiwor .-gjae the network object you con figure the 

; ddr W s/subn it which ts going to I’''™ 5 ' which the NATwiM take place and * 

■nar command which specifies a pair of. ntcrlacesb 

Mapped IP address pool 

5121111 ,, , . fi „, tll . ppU iP addresses and the Mapped IP addresses. The nett™* 

frniip network objects to define trce Ke. 

■ jp address fhostlr a network subnet, or a range of IP addresses.The 
objects can contain a single IP address fn }, 

network object which defines the Real IP addresses must contain also the not statement. 


dscojsa(connK)* ob|ect network [obyname] 

ctscensafconfts network-object}# {host ip-addr\ subnet net addr net-mask j ran E c ipUffl 

&I£E 2: 

Then we corull pure the *naf stateme nt in side the netwo rk object wb ich d efi nes the Real 1P 
addresses. 

ptscoaso [ confixnetwork - object ) # not (real If, mapped if) dynamic [mapped-ip \ mapped 1 -- aty ] 
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_ | or ,d “mapped 11“ define the internal anti external interfaces respectively between 

r hL ' | i2>c Dynamic NAT will take place. After the "•dynamic'’ keyword we use a mapped !P or a 


ntappe 

|m pl ate 


I1(?liv0 rk object which define the IP addresses that the real addresses will be translated to. 
0 /'real if" or "mapped if’ we can use the keyword "any" to specify any interface. 


Sr£H 


^ t , siipiiJm ni/iiamic Inside WAT Translation 

Cisco ASAVersions prior to H.3 



dscoasa(«nfigJ# nat (inside] 1 192.168.1. D 255,255,255.0 4-Inside net to he translated 
ciscflasa(cniifig)# global (outside) 1 100,1.1,2-100.1.1.50 netmask 2 55.255^255.0 4-Outside 

pool 

jn the scenario above the firewall will perform dynamic NAT to all inside hosts (192.168.1.0/24). 
The source IP addresses of outbound traffic from inside to outside will be translated into addresses 
from the Outside Global pool 100.1.1,2 up to 100.1.1.50. Notice the natdd value (1). This number 
binds the nat command with the global command. Its importance will be dearer in our next 
scenarios. 


Also note the names inside 1 ' and 'outside" used in the nat and global commands. These names 
are the ones assigned under the interface configuration with the'nameif command. 
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Ms. o m fc iaiM’* 

„,,<■ m ,ul < U* »l* Mj i 5 l ,ed * dd sei oLti( 

“■(“W ->bJ«f*>w«K «•*""' |0# ( 1|5# <_ 01)((kte pnblicpeol 

cisroasa [con ng-nelwork'ob)ccl) ^ rfl 

i huC-J n + Jt^ flM* Ik 1 ^ W addresses ubj i^t 
dscoasa(conflg)#604^ «!»»»* * MN *° 

The example above will Hide,he ton*.>««■ n ,f dynsm fc HAT Iran sSation will take plaw 

a ddresses in the- range 100. t. 1 2 up to 1 D [) - * ■ * ■■* " 

between inside and outside Interfaces, 

t , , - „ a(J( | rtsscs than the Mapped Public Poo], We an 

NOTE: Because the internal network has more c 

use the outside interface IPas NAT fallback, After the mapped IPaddreavea are need up. then the, P 
address oEthe mapped interface (outside ASA interface) will be used. See belowhow to configure 

dynamic MAT fallback- 


ci$coasa(conflg)6 object network my.tnternaljaefr Create the Beal IP addresses object 
dscoa 5 a(config-nelwork-object)# subnet 192.168.1.0 2SS.2SS.2SS.0 6- LIN to be translated 
ciscoasa (config-network-object]# nat (Inside.outslde) dynamic mapped.publiC.pool 
interface 


Mote the usage of the "Interface" keyword just after the w niapped_pubUc_poor network object 











. Al io Zt P“ »= miir NjtXZSSJlMlimiiHurn;i| nelwurks 


Cisco ASA Versions nrfor t» n r A 




192,16G-2.Of 24 


NAT {Id 1) 


cao 


Ou lihjlj 


ciscoasateonfig)^ nat [Inside) 1 192,168-1.0 255.255,255-0 ^-Rrst Internal Network 
ciscoasafconfig)# nat (inside) 192.168.2-0 255.255,255.0 ^Second Internal Network 
cistoasafcollfig)# gl.-ob-al (outside) 1 100,1-1,2*100.1,1.50 nelmask 255.255-255-0 
dscoasa^config)# global (outside) 100.1,1.Si-100-1.1-100 netmask 255.255,255,0 

The scenario here shows the importance of the nat-idl parameter and how this is used to bind 
together a nat/global command pair. The natld [1] in the first nat command statement tells the 
firewall to translate the internal network 192.163.1.0/24 addresses into those in the mapped global 
IP pool containing the same natld (i.e 100.1,1.2 up to 100,14.50). Similarly, the nat-id ( ) in the 
second nat statement tells the firewall to translate addresses For hosts in 192168.2.0/24 to the 
addresses in the mapped global pool 2 with nat-id ( ] (i.e 1001.1.51 tip to 1001.1.100). 
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ASA Voislim 11,11 amt liter 


Let's see how to configure the scenario above with ASA version tU or liter, Host* I'rnm UHnna| 
nefwoik 192.1611.1.0/24 will be trans[,itoil to addi'esses tlom Outside II' pnnl 1 1100,1,12 np to 
100.1,1.50) and hosts from Internal network 192,160.2.0/24 will he translated inmldivssrs k nm 
Outside I? pool 2 (100.1,1,51 tip to 100.11,100), 

cisco a snfccui 11^) w object network in a ppeiljl^pnnlj C- Create the Km*** 1 1 «tltUv»M^*ihfcct 
ristoasafcon fig-netw o r k-uh j c ct) Ft range 100,11,2 100,11,50 <- Hillside 1 


dscoasafconfig)# object network bn_l 

cis con sa(config-iietwork* object)# subnet 192.16G.L0 255,255.255,0 <-I.AN I li» hr translated 
dscoasnfcuniigmetwoik-ohjertjff nat (Inside, nut side) dynamic inappeilJIlpiuiLl 

clscoasa[coiil|lg)tt object network inap|iedjl* iioi>U<- Civile (hr Mapped 2 mlili esses ubjeit 
ciscoasa(conflg-netwo rk-ob ject]# range 100,1,151 100.1.1,100 ir Hillside IP |»o«| 2 

ciscousa[config)# object network lan_2 

clscoasaCconfig-network-object)# subnet 192,160,2,0 255,255-255,0 <tLAN 2 tn be tnmvLitril 
ciscoasafconfig-network-object)# nat (inside,outside) dynamic mapped 10 pool.2 









r K< i> ASA V> rs lmi* prior 


172.1(1.1 0/2* 


.r^-.n.lanstdnslile'l I 192.108.1.0 Z5S.2S5.ZSS.0 (-Inside Subnet 

coconu t RJ [ nrt71 ! 172 it i 0 2S5.Z5S,2SS>0 <-DMZ Subnet 


,„ lh , scenario above. assume that "inside" Interlace has security level Hft'wr 
SK „rlty level SO. and "outside" Interface lias security level O Threads that "inside" hoslscan 
initiate connections to lowe r security level interfaces (I* W both "DMZ" and "outside"). Also, these 
security levels allow hosts on the DMZ Interface to Initiate connections towards the ouU.de 

interface, 


Because both of the mapped pools (global commands) and the nat( Inside) command use,he same 
nat-ld of 1 addresses for hosts on the inside network (t92.16ftl.WH) can be translated to those in 
either mapped pool, depending on, deduction of thetrairic.Therefore. when hosts on the Inside 
interface access hosts on the UMZ.theglohal(DMZ) command causes their source addresses to be 
translated to addresses In the range 172 . 16 .UOO -171.16.US4. Similarly, wheninslde hosts 


P 


+ ■» 


V ■*> 



















afc0SS hosts or. the outside, the global (oulslde) wilt cause their source addresses tab, 

translated into the range lOO.l.t.l - 100.1.1.2S4, 

Moreover, the configuration above allows also hosts on the UMZ to use NAT when accessing mjtsli, 
hosts. The nat (DMZ) together with global (outside) commands will cause thesourceaddress c[ 
DMZ hosts ( L72.IO I O/24) to he translated Into the outside range 100.1.1.1 - 100.1.1.2S4. 


Mnnitnrhie N AT Translations 

The'ristoasa# MioW a In Is" coin man d displays 


the contents 


of the NAT translation table. 


e, R Gtebal WO.U,10Local 192 . 1681.10 


The output above shows that a private local address 192468-L10 is assigned! a global pool address 
oflOO.U.10. 


Thro ASA Version n.3 and Inter 

For version B.3 and later this scenario becomes more complicated to configure. We have three 
firewall network Zones, Inside, DM2, and Outside. Traffic from Inside Mne to DMZ network must 
be translated to Mapped IP Pool 172.16,1.100-254 and traffic from 1 nsitte going.to Outside must be 
translated to Mapped 1P Tool 100.1.1,1 -2 5 4. M oreover, traffic from DMZ Eoineto Outside must also 
be translated to outside Mapped IP Pool 100.1,1.1*254, 

Let's first create the two network objects for the two Mapped IP pools. 

rtscoasa[conng)tf object network mapped _lP_pool_l^" Create the Mapped! 1 addresses object 
dstoasa(config-network object)# range 172.16.1.100 172,16.1.254 ^ DMZ IP pool 1 

cUcoaia(conn £ )fl object network injppndJP.ponLZ*- Create the Mapped 2 addresses object 
theoasafeonfig network-object)# range 100 , 1 . 1.1 100.1,1.254 Outside IP pool 2 

TVtl ™ , ‘ neheerk objects for the Real IP addresses. We will havetocreare a different object 
for hie three traffic haws [1nslde.to_d.na. Inslde.to.outslde. dma.to.outslde). 
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, niiul# object network I nstde_to_dfni£<-translation when golns Emm Inside tu dm* 
dli^i 1 etworit-fl^ject)# subnet 192 * 168 , 1 . 0255 . 255 . 255.0 
r * il< .-net wo lie -o hject) # nat (I nsldt^dinz) dynamic map ped_lP..p<lul_l 


flSCOnS-! 


(conflg- 


- nbjerl network I nside_to_ou I side translation when going from In to nut 

c l S COOSiH Ct,l:M,|Tl 

’ i (con Fig'network-object)# subnet 192,168,1,0 255,255,285,0 
feenfle-network-object)# nat (Inside.outside) dynamic rtiapped_JF_jjool_2 

itlsco.i p t 


l asa[eonflg)tf object network dniKjo^outslde^translation when going from dmz to out 
c I sen i sa f coil fig' rie two rk-oh |«c t}# subnet 172.16,1,0 Z5S.255.2554 
ciscoasatconHg-rietWWfc : ob»ect)# nat (dmz, outside) dynamic raapped_!P_pool_2 


2.1.2 Configuring Dynamic Port Address Translation (PAT) 


With Dynamic NAT we assume that we have a range (pool) of public addresses that we use to 
translate our internal network private addresses. In real situations, an enterprise receives only a 
limited number of public addresses from its ISP, whereas the number of internal private addresses 
is much bigger. This mean a that if we use Dynamic NAT in such a situation, the external public 
address pool (Mapped IP pool) will be depleted really fast when many internal hosts access the 

internet simultaneously. 


To overcome this problem, we can use a *many*to-one“ address translation, called also Port 
Address Translation (PAT), Using PAT, multiple connections from different internal hosts can be 
multiplexed over a single global (public) IP address using different source port numbers. Lessee 

an example below: 
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Cisco ASA Versions prior to 8.3 


PAT 


INTERNET 



ciscoasa(conflg)# nat (inside) 1 192.168.1.0 2SS.2SS.25S.0 <-Inside Subnet to use PAT 
ciscoasa(config)# global (outside) 1100.1.1.2 netmask 255.255.255.25S <r Use a single 
global IP address for PAT 

In the example above, all internal private addresses (192.168.1.0/24) will use a single public IP 
address (100.1.1.2) with different source port numbers. For example, when host 192.168.1.1 
connects on an Internet outside host, the firewall will translate its source address and port into 
100.1.1.2 with source port 1024. Similarly, host 192.168.1.2 will be translated again into 100.1.1.2 
but with a different source port (1025). The source ports are dynamically changed to a unique 
number greater than 1023. A single PAT address can support around 64,000 inside hosts. 

Monltorine PAT Translations 

The dscoasa# show xlate command displays the contents of the PAT translation table, 
e.g PAT Global 100.1.1.2 (1024) Local 192.168.1.1 (4513) 

The output above shows that a connection from the private local address 192.168.1.1 with source 
port 4513 is translated into address 100.1.1.2 with source port 1024. 

The firewall keeps track of all NAT sessions using its xlate table, so that when a reply packet comes 
back from outside, the firewall will check its translation table to see which port number belongs to 
the particular reply packet in order to deliver it to the correct internal host 
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t Kcu AS * Wrslon »/! l iUt 


You C' J,ri 
s (jtcrt |fn 


the P 


fnn fixure the tingle M jpp«t If* ad dross either a* a network object or within the *naf 
[ F«f example assume that we want to hide our internal network: 1'llJ fcH.i 0/24 bfebiml 

yblic IP across tdO.t I t 


dsf oajaf«nM« *Meci Mtwork lutenuljan 

jftunfij^ network-object)* subnet 1*12.168.1.0 255.2 55.2 5 5.0 
^tsfoa. t 

^^^^^ndg.network oblert]# flhslde h aulsid«) dynamic 100.1.1.2 


The re art stveral different scenarios In which PAT can be used in a network. We will describe diem 
next* 

*frn y*" f PAT tttrnguwlsIdr-tnirrlri cpjPjiilLtri-j5 

Instead of ccnfigurlnE a specific IP address In the global command lobe used tor PAT (as the 
example above), we can specify the outside Inter face as ihe PAT address. This Keratin Is important 
when our firewall obtains a dynamic public IP address from Ihe Intcrnrt Service Provider (ISP). In 
which case we don't know the exact address to configure it on the global command. 


Refer to the diagram below for a configuration example using DHCP outside address for PAT; 

PAT 




192.Ufc1,WM 


ISP 


OuUlda 
10dm 1 it 
jtiJgotd by 
OHCP 
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risen ASA Versions prior to 8,3 


dsi^M(«""®!* n i „ n !''Sdr«/tfbep selrouie «« outside address and gateway f rt , m . su 
riscojjaftt 111 ^ J p jnsJde j i !92468 r l,0 25S.255.2SS0 ^-Inside Subnet la u$e Pat ? 
riscoa^jconfi^ (mJlst de) 1 Interact <- Usp the outside IP address for PAT 

address dhcp sutrouto" interface command configures the firewall lo work as a DHCk 

jilt for the ISP and obtain a public address automatically. The "selroute" parameter tells the 

c ,L Firewall to set its default route using the default gateway value that the DHCP server 

mites. Do not configure a default route when using the setroute option. 


Cisco ASA Version 83 and later 

To use the outside ASA interface address to perform PAT inversion B.3 and later do the following; 
ciscoasa(conflg)# Interface G0/0 

rfscoasa (config-if )H ip address dhep setroute «-Get outside address and gateway from ISP 
ctscoasafeonfig)# object network intern a I Jan 

d scon sa (co n fig- lie two rk- ub j ect) # subnet 192.1G8.1.0 255.2SS,255-0 
clscoasa[confTg-network-object)# nat (inside ( Oiitside) dynamic interface 

Scenario 2r Manning different internal subnets to different PAT addresses 

Cisco ASA Versions prior to &.3 


Using the nat-ld parameter we can bind two or more nat/global statement pairs in order to map 

different internal network subnets to different PAT addresses, as shown in the diagram below: 

*'+* - 
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PAT (nal-ldl) 


V- 


/' IMTERNET 




PATli 100.1,1.1 

Oj l l; Hie 

GC*> 

PAT2: 100.1.1-2 


PAT 


192.16&.2.0i'24 


255 


255 


nal finside) 1 192.160.1,0 255.255,255,0 
ciscosj(cftnfig}* global (outside) 1 100.1.1.1 netmask ZSS.2SS.255. 

.rnasafconfieltf oat [inside) 2 192.16B.2.0 255.2S5.25S.0 
c! sees sa (con fig)* global (outside) 2 100.1.1.2 netmask 2SS.25S.2S5. 

Outbound connections from internal subnet 192.168.1.0/2+will seem to originate from address 
100.1.1.1 and outbound connections from subnet 192.168.2.0/24 will seem to originate from 

address 100. M2. 


Cisco ASA Version 0.3 and later 

J„ this scenario, internal network 192.168.1.0/24 will be hidden behind PAT address 100.1.1.1 and 
also internal network 192.168.2.0/24 will be hidden behind PAT address 100.1.1,2. 

ciscoasatrotifig)# object network internal Janl 
dscoa^atconflg'network-cibjcct)# subnet 192,168.1.0 255,255,255.0 
cts co a sa f run fig- netwo rk-ob jeet) # nat [ins id ^outside) dynamic 100.1.1.1 
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clscoasnfconfig)# object iu?tw»rkini , entiilj!ia2 

clscuasa [con ^g-network'^JfCt) # sub |,c l 192.1611.2-9 2$5* 2 
c i scoa sa( cunfig- net work-object j # no* (in* I d ^ outs ^ cl * 111 


■i»n,rin :l= tn...l,i..tn g lly nM . nJrNAT jEW!! . ^ TTr,.«>»»i IUt 

We cn ^ a pool ofa**™! public IP tfdresnx for Dynamic NAT transtetiob, «nd •»*»,* ^ 
pool with a single MT.ddm.I.a- tlwccldrewcs k> global pool are exhausted. 

Ci iT'O ISA ^™inn* pi lot' to fl.3 


ciscoasaCcwinfi)# unt (Susiflc) l 192,168.1.0 255^55.255^ _ 

dseoti5n[confi6) tf gfobflf [outside)! 100.1.1.100-1 ■ ' ■ - _ J ' 

clscoasa[conne)ltglobiil [outside] 1 J0(}.l.li254 htlniss 


Outbound connections from the internal network I92.16B-l.-0/24 are assigned .addresses from the 
range 100.1.1,100 up to 100.1.1,253. If die firewall assigns .ill addresses from its dynamic pool, it 


will overflow to its PAT address 100.1,1.254. 


Cisco ASA Version QM and later 

The mapped IP pool 100.1,1.100-100.1.1.253 will be used for Dynamic NAT translation of the 

in remat network 192,168,1.0/24. tf the Mapped pool is exhausted, the single FAT address 

100.1.1,254 wi 11 be used for tra nshtion. 

eiscoasateonfig)# object network niappcdJF„ponl 

ciscoasa f co nfig- lie twork-ob j ect) # range 100.1.1.100 100.1.1.253 

ciscoasafronfig}# object network FATJP 

clscoasafctmfig network-object)# host 100.1.1.254 

cFscoa.ia [con fig} tf object-gro up network, j i at_pa t 

dscoasafcimfig-network-object)# network-object object mnppcrijp pool 

ascoasa [config-n etwnrk object) tf n etwork-o bject object FAT_I P 


ciscoasafeonfig)# object network Internal Jan 
dMMfconJg-networit-objert)# subnet 192,168.1.(1 255.2SS 255 D 

clscoasaftonfig-networkotiiecl)# nat (l n5We , outsfde) 
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2.L2.1 Per-Sessiort PAT and Multi-Session PAT (Far ASA 9.x and later) 

In ASA version Port Ad dress Trans I a lion (PAT) was enhanced with two types of PAT 

mechanisms; Per-session PAT and Multi-Session PAT. 

• Per-Sesslon PAT : Th is PAT m eclia n i sm is enabled by de fa ul I for all TCP t ra ITI c a n d for U D P 
DNS Traffic. Per-Session PAT improves greatly the scalability of FAT because at the end of 
each per-session PAT connection, the ASA sends a reset and immediately removes the 
translation, thus tearing down the connection and hence freeing up resources on the device. 
For "hit-and-run" traffic, such as HTTP or HTTPS, the per-session feature is very efficient 
However, for real time traffic (such as VoIF, U323, SiF etc) Per-Session PAT is not good. 

As we've said above, per-session PAT Ls enabled by default The following PAT rules are configured 
by default; 

xlate per session permit tep any4 any4 
slate per-session permit tep any4 anyG 
xlate per-session permit tep arty6any4 
xlate per-session permit tep any A anyfi 
xlate per-session permit udp any4 any4 oq domain 
xlate per-session permit udp any4 any6 ec| domain 
xlate per-session permit udp any 6 any4 cq domain 
slate per-session permit udp anyfc anyG eq domain 

NOTE: In ASA version 9 jc, the configuration keyword “any+ means ALL IPv4 traffic, and the 
keyword J any6" means ALL 3PvG traffic, If you use the keyword "any" it means ALL IPv4 and IPv6 
traffic. 

* Multi-gession PAT : Multi-session PAT, on the other hand, uses the PAT timeout, by 
default 30 seconds, before tearing down the translation and hence the connection. Multi- 
Session PA 3 is useful for VoIP, H323, SIP and Skinny traffic Therefore whenever you have 
this kind of traffic in your network it's recommended to deny Per-Session PAT in order to 
use Multi-Session PAT. 
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to"** 1 , S) „ , rrv , r eta-1 In «» network (will. ll> 1 MO.10.10) ^ 

teymc 1 «*tuV»*Vi.ll'*iTVor(..i ■ ■ |„ 1 wt»ilo tlbolow: 

wo wy.it ta. .1 t»Wf I IW . . v * 1 ' 


«*"• I**'’""" 0 " . .^Vt'oTlo'lVraiiRt 1TIB 1T» 

A$A[cflnnKl#i stole 


, ii irilHC fof 8 ®inW 10jl0.1'0rl0 p s<? th-atit ns^ 
The Above ronrworJtlon deny rule Mu M-3« ^ aHtl 

multhffssloil I^T, 


2.1.3 Co«fl B urli.B Sl;iilc Address Translation (Static NAT) 


.i « sections (Itomamlc NAT and PAT] 

The two iramdatUm types that wt**vp discussed In tin- P 

jj f |,i oiier security level to lower security level]i 

are used tor Difltewfld w«imu ideation only (I-f I rum \w - 

i v .1 iii.i internet] wnrtts in initiate coTvimunicaijon loan 
However, If in outside host (lot's s..y*hwt on Uw IntcrntiJ wan 

I.MM1 hoot hohlndll.o firewall, 11.1* BuolpOBlblelfwohove only Dynamic NAT or PAT 
conliBuml This li very good In Ipimi ofstcurlly. but there ore several mm* lhJt “ mu!ta <«* 
Inbound oerw. or wrll (U.cm. from lower security to higher verity levels - M*. <o Inside). 
TO Ad,low thk wo MUST .wo ..Static NAT tr.nsUlon ond else conflp.ro on npprophotc Access 
Control l.lsl. St...In NAT map* permanently a l.ostoddrcsJtoa Hxed global (outside) address, 


Tlie ivbost lm [variant reajjnm to use Static NA T are live following: 

* We have an internal server with private IP address (e.g our company's email or web server] 
that must always appear with a flxctl public IP address on the Outside interface of the 
firewall. 

* We wa nt i« allow bust $ from i Ire Outs tde [eg I ntern el) to initiate co n nect id ns to a local 
Internal server (e.jj amr Web or email serve r}. 

* We want lo use Port Redirection [more on this later). 
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cr iHr WAT in Cisco ASA Versions. t> no r to 113 


wU r " r " 



tniask*subrtet_nuisk" 

static NAT we nefd to know the following parameters; 


L Between 


which two interfaces the translation will take place. The two Interfaces are defined 


iS ^ rta | interlace and the mappedjnterface. The real interface (e.g DMZ interface or 
lEiside interface] must have higher security level than the mapped interface (e.g Outside 
interfere^ 

t, rea^lP address of the host [the IP actually configured on the Network Card Of the host), 
■s The mapped JP [or translated) IP address of the host (Le the address that the host will be 
known to the Outside networks). 

\ little 'catch" that you need to be careful with the static command Es the following: when entering 
the interface names in the parenthesis, you enter the reaJJnterface name first followed by the 
niappetLinierfj.ee name (see command format above), However, when you configure the IP 
address after the interface names, you enter the mapped JP address first followed by the real_IP 
address. Let's see some example scenarios for making things clear; 






















^n.g.o. r Z4 


132,1 G&, 1,0/24 


Email Server 
1000-1 


100 . 1 . 1.1 


Wat Servir 
looo. i 


mi. i.J 


G0f2 

CMi 


Outside 


GQM 

Inside 


The network topology above is classic In many enterprises. Usually there is an Inside network on 
the firewall which hosts all internal employees' computers, an Outside network that connects to the 
Internet and there is a I so a Demilitarized Zone (DMZ) that hosts servers which should be accessible 
from the Internet (in on resample, a Web Server and a n email Server). In this scenario static NAT 
must be used for the DMZ servers so that their real private IP address is always translated to a fixed 
public IP address (10,0.0.1 translated to 100.1,1.1 and 10,0,0.2 translated to 100.1.1.2)* 

In our scenario above we have the following; 

* Real I nterface name: DM l 

* Mapped I nter/ace name: Outside 

* Real IP addresses; 10,0.0. t and 10.0.0,2 

* Mapped IP adresses: 100.1.1.1 and 100.1. 1,2 
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stalk NAT in Cisco ASA Versions i>riw to O.j. 


stc , he wnBguwHW trjpsliw Mow; 

1 . s[a iu [DM/, outside) 100.1.1.1 10.0.0.1 nclmask2S5.2S5.155.25S 
stat |c [I? M2, outside) 100.1.1.2 10.0.0.2 netmask 255 25S.2SS.255 

enable bi-directional communication for the w^b <ind email servers. Now 

abo ve*ta tem * ntse 

in ^ f . rC o S nur web and email servers via their public address 100.1.1.1 and 100.1.1,2 

|,|ltfr ^ ^ CL js st [|] needed on the outside i n terface to allow comraunicati on. 

static NAT in Cisco ASA Version 03 anti Inter 


Now fet - 


' see how to configure the scenario above in ASA version S3 and later, Static NAT 

uses the same concept as Dynamic NAT [i.e using network objects} but instead of 
configuratin' 1 va« 

k rd -dynamic - in the “nat" statement we use the keyword "staticThe command 


using i 


f ^,nat of the 'nat* statement for static NAT is; 


cisco 


jsafconflg-nerwork- ob JectJ # nat [real if f mapped if) static \mapped-fp \ mopped-ob;) 


To configure scenario 1 a hove in versions fl-3 and later execute the following commands; 


dscaasafeonflg)# object network web_server_slatLc 

ciscoasafeonng network-object)# host 10.0,0.1 Real IP of Web Server 
d scoasa(config-n el work-object)# nat (DMZ . outside) sialic 100.13,1 <r Mapped IP 

cJscoasa{canfig)# object network emaiLserver.statk 

dscoasafeonng network-object)# host 10.0.0.2 *■ Real IP of Email Server 
ciscoasafconfig network-object)# nat [DMZ, outside) static 100.13.2 <- Mapped IP 
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, can create permanent address 
l^,i tJd ['essew 

Instead permanently twtflattitg*^ 1 l<? 1 ' RffeTT ing t* Hie previous diagram In sc^,^ 

mappings to a whole swbnt-t with i^ L CC) ^ Jic at , dre5S range J.00.1.1.0/24. We can translate 
i above, assume that we have a whole da« ‘ P _ 
the whole DM2 range 10.0,0.0/24 w 

a HOO-I-JJO 10 00,0 netmask ZSS.ZSS.2SSJI 
elsco3si(conng)tt static (f>M2*onl5u * rran -i 

Ltbn et 10.0.O.O/24 *> n th & DM z ^ h L lra nslnted to a 
Any packet sourced fr om a se ever a d dre&s 011 5 ^110,0-0-2 0 will be 

host address on the lOO.l.LO/24 subnet on the outsi e ]| i 


translated to 100.1.1-20). 


T* configure scenario- 2 above (i.e static NAT 


of whole network) in versions 8.3 and later: 


clscnasa(conllg) n object network map ped.stat lc. ™ r ge 
clscoasatconfig'netwnrk-objectjfr subnet 1(10.14.0 255 


cl5co!i5a[cttnflg )H object network dm^network 

*i 5 coasa(eonO fi network-object)# subnet 10.0,0*0 255-255.255.0 <- DMZ subnet 
rtsmasd[con(ig-n?twork-objeft)# nat (OMZ t outside) static mapped m.i , i ■ i ,in k L 
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Sfennrifl Statjr t*nrt Address Translation fPnri K edi reel ion 1 


QMZ Network 

IQ.'D.O.Qi^* 



A pretty common scenario is the one shown on the diagram above. Assume we have onEy one public 
IP address available (10 01 l.t) but we have two (or more) severs that we need to provide public 
access for. We know that our Web Server listens to port 80 and our email Server listens to port 25 
All inbound traffic hitting address 100.1.1.1 port 80 wttl be redirected by the firewall to 10.0.0 1 
port 30. and all traffic hitting address 1001.1.1 port 2S will be redirected to 10.0.0.2 port 25, 

rfcrn AfiA Versions prior to 8,3 

The command format for Port Redirecti onjsthe jollowin ^: 

ciscoasafeanflfO# static [realjnterfac^name, mappedjnterface_name) [tcp|udp) 
"mappedLlP 1 * - mappe4_p*rt* 'realJF-realjiort" nebnask-subnfiljnasK 

For the network topology in our example scenario above, the port redirection commands are the 
following: 


\. 


\ 
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il 5 co;tsa(t:on(lg)tf stalk (DMZ , outside) tep 100.1,1.180 1O-0JJ.1 80 net/natlc 

2 S 5 , 255 -Z 55 .Z 55 _ - 

ClscoasiitconOgltt static (DMZ* outside] tep 100 - 11-1 2 S 10.0,0,2 2 d 

255.255.255,251 

Another popular case is to do port redirection using the outside interface- If for exar&e th# ASA 
receives IP address dynamically &t>m the ISP fusing DHCP on the outside)- then the <xte;te 
Is not known- So we can configure the ASA so that traffic lutLcg its o«ts.-e j r._rfi..£ -■ pcxr 
be redirected to DM2 Web Server lQ.O.Q.l and also traffic hitting its outside interface o?3 pon 2^ tv 

be redirected to DM 2 Email Server 10 .Q.D. 2 , 

■ciscoasafeonlig] ft static (DMZ, outside) tep interface SO 10-0-0-1 SO netmask 

255.255.255.255 

clscoasajconfig)# static (DM2, outside] tep interface 25 10,0-0-2 2 j netrr>- ' Sc 

255255.255.255 

Now-wli.it If we have two web servers that both listen to port 80 ? We can configure the iSrrwaJJ t:i 
redirect a different public mapped port (e,g 8080 for example] to our second web server. 

We can use also the Pen Redirection feature to translate a weEHorwwn port to a ieiser-lcrxrmj pent 
or vice-versa. This will help to Increase security. For example you can tell your web users la 
connect to a lesser-known port 5265 and then translate them to the corned port SO on the local 
network, 

Cisco ASA Version 8.3 and fater 

To configure Port Redirection in version 83 and later (using the same diagram above): 

ciscoasafconfigjtf object network web^server.statEc 
rlscoasatranfig network-object)# host 10 - 0 - 0 -! 

dscoasa[config-net work-object)# rat (DM2 - outside] static 100,1.1.1 service tep SO SO 

ciscoasa(conflg)# object network eniail_server_static 
cisconsafconflE network-object)# host 10.0.Q 2 

d scoas a(c« n fig-ne two rk-obj ect) u nat (DM2 .outside) static 100 . 1 - 1,1 service tep 25 25 

Ji " 

f, 

' I; 






NOTES; 


* 1 lie first pm l .number (ZTh or 1 [(]■)! ; TJiJj Jk | jpi- Hi-PiI pftrl port JkUtfjIfig nfl tb* 

* l lie second purl number (25 or fJQ) ■ Tlito I* thm Mapped Pint fport vfclbk twin ftvnlti*) 

* instead of using a mapped IP (eg IDOL] J J j you can use the keyword *inu it***". 


2.1.4 Configuring [tfentlty NAT 

ri-Sf u A£A 1/nrslnns prlnr I o fl.H 

It is worth mentioning another type of MAT mechanism called Identity NAT [ut nat Gj. If you 
enabled uat-control on your firewall, It Is mandatory that all pack'A* travmlnjj thtf ^corlty 
appliance must match a translation rule feFther nai/^lobal or stalk nal Jtilfctj, If we WAot tfttwve 
some hosts (or whole networks? to pass through the firewall wJthgti f translation then (he nat *i 
commend must ha used. This creates a transparent mapping. If Identity WAT t* used m m interfere, 
IP addresses on thu.s interface translate to themselves on all lower raairlty Interface*. 


DfXZ itiUiOrt. 

hum, tom 
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Assume.. our DMZ network Is assigned a public IP address range (100.1.1 -0/24J. This means 

(tat the server* located on the DMZ have public IP addresses configured on their Network [Me,fate 
Mills. Tl, err El, re. we dent need to translate the DMZ real IP addresses into mapped global 

Mtlllri'MW*. 


ihi'iunsilfinufigJN nvit IDMZJO 1 DO. i.i >0255.255.255.0 

You.need Id have an ACL en the Outside interface In orderto allow users from the Internets 

loiniett will! llie DMZ servers. 

An.,liter wop to runliKUre Identity NAT is by using static NAT as shown below; 

<lwoaia{ranflg)if static (DMZ, oulslde) 100.1.1.0100.1.1.0 netraask 2S5.2SS.ZSS.0 


then ASA Version 0.3 ami Piter 

Tlo (on Figure iileniity NAT In version 8.3 jndliter; 

ihriiitviffniine}^ object network Idemilyna grange 

cm v.i( eon riff-network-oil (]i-ct-Id subnet 100,1,1,0 255.255.255.0 


rliro.i»d(ronflg)4 object network dmijnetwork 
e I *i o.M fv{ ronflg' n el wo rk-object) # subnet 100.1. 1.0 255,255,255,0 
rUrn.ivi(rrnifijj-nelwmk-object)# nat{DM2 > outside} static i dentily_nat^range 


Another e*;im|>le with a slngtebost; 

l he ioi vi |(fln llg)K objert tidw o rk n anat 

f hernial(ealiflg.network-abject)IV host 100,1.1,1 

i Ur oiii j (enn n K- net wo rk- o b jecl) ft nat (DM2, outside) Static 10Q.IM 












J 


2,1.4.1 Identity' NAT Used for VPN Configurations 

Cisco ASA Versions mior to 1 L 3 


One important issue to consider is the case of using NAT on the firewall when there is also IPS EC 
VPN configured. Because IPSEC does not work with NAT, we need to exclude the traffic to be 
encrypted by IPSEC from the NAT operation, We can use the "nat O' command for this. Although we 
will see this technique in more detail later (in the IPSEC VPN Chapter), let’s talk briefly about it 


here. 


LAN-1 


LAN-2 




$ite-to-Site VPN 


ASA-1 

Insicte ^;Ou!s*cle 




GOfl 



GWO \ 


INTERNET 


I 

\ 


ioa.iGo.100.1 


V 


QU’SK.IU 

GD'O 
20D.200.30D-1 


ASA-2 



GOfl 




102.166,1.0/24 


IPSEC 

Sit64«-SiEa 

VPN 




U 

192.168.2,0*24 


From example diagram above (which we will describe in more detail in a latei Chapter ], we need to 
establish a secure IPSEC VPN (Site-to-Site VPN) over the Internet between two internal LAN 
networks (LAN-1:192.168,1.0/24 and LAN-2:192.16B 2.0/24). Both LAN1 and LAN2 will also have 
local Internet access. Therefore we need to configure Dynamic NAT on the ASA firewalls to altow 
the private LAN networks to access the Internet However, traffic from LAN-1 to LAN-2 (and vice- 
versa) which will pass through the VPN tunnel MUST be excluded from any NAT operation. 


To achieve the above, we must configure a 


"natO" command using an Access Control List: 
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Asi llconlVe]# access-list NONAT extended permit ip 
192 .ltift.2.0 255,255.255,0 


192.1 60,1.0 2S5.255.2S5.0 


ASA-lfconllg}* n« (inside) 0 access-list NONAT e Exclude traffic from LAN1 to LAN2 rrom 
NAT operation 


Asiztconfig)# access list NONAT extended permit ip 192.163.2.0 255.2S5.2S5.0 
192.168,1,0 255.255,255,0 

ASA-2 (config)# nat (inside) 0 access-list NONAT «- Exclude traffic from LAN2 It) LAN1 from 
NAT operation 


Cisco ASA Version 8.3 and inter 

To Implement the functionality above in ASA version 8.3 and Hater, we must use the Twice NAT* 
method, as shown below; 

ASA 1; 

ASa- 1 (config)# object network obj-local 

ASA 1 {config-network-object)# Subnet 192,160,1.0 255,255.255.0 
ASA -1 (con fig-net work-object) # exi t 


ASA-1 (con fig}# object network ohj-remote 

ASA l(config-network object}# subnet 192.168,2,0 255.255.255,0 

ASA-I (config-network-objcct)# exit 


ASA-l (config)# nat (ms id ^outside) 
remote ohj-remote 


1 source static obj-local obj-local destination static obj- 


ASA 2; 


ASA-2(conflg)# object network obj-local 

ASA-2 (con fig-network-objectj# subnet 192,160.2,0 255 , 

ASA- 2{con fig-n c two rk-oEject} # exi t 


255.255.0- 


ASA-2 (con fig)# object network obj-r emote 

ASA-2 (con fig-network-object)# subnet 192,160,1,0 25s 25 ^ o cc „ 

ASA-2(con%-network-object}# exit 


ASA-2(config}# nat (insiderutsJde) 1 source static obj-local obj-local 
rem ote o bj-remote 


destination static obj- 
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Chapter 3 Using Access Control Lists (ACL) 

In Chapter 2 we have described the Network Address Translation (NAT] security mechanis rt. 
v^htch is one of the two major elements that an administrator needs to configure in order t> toa 
communication through the firewall The second major element needed to enable tntffLc fiovt 
communication is the Access Control mechanism, also called Access Control last (ACL) 

3,1 ACL Overview 



The Access Control List, as the name implies, is a List of statements (called Access Control In trie. ) 
that permit or deny traffic from a source to a destination. After an ACL is configured, it is applied ti> 
an Interface using the "access-group' 1 command. If no ACL is applied to an interface, outbound 


access traffic (from inside to outside) is permitted by default, and inbound access traffic (from 
outside to Inside) is denied by default The ACL can be applied (using the access-group command) 
both to the “in" and "our direction of the traffic with respect to the interface. The ■'in' direction of 
ACL controls traffic entering an interface, and the J, oul" direction of ACL controls traffic exiting an 
interface. In the diagram above, both ACLs shown (for Inbound and for Outbound Access) aro 
applied to the “In* direction of Outside and inside interfaces respectively. 

The following are guidelines for designing and implementing ACLs; 

* For Outbound Traffic (Higher to Lower Security Levels), the source address argument of 
an ACL entry Is the- actua I real address of the host or net wo r k. 

* For Inbound Traffic (Lower to Higher Security Levels), the destination address argument 
of an ACL entry is the translated Mapped IP address. (Pur ASA versions prior to \\ \) 
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imrllMji: Always use the Beal IP uddress in the Access List when NAT 



Is ctinflgurctl (l.e the IP actually configured on the host). 

ACl.s are always checked feefsie translation Is performed on the security*,.pliance 


as encryption translation, policing. Quality Of Service etc. 


3,2 ACL Configuration 



clsrausafconllnlfforccss-l 1st “ accessJisLrwme" [line line_ttamber] [extended) 

(dottyJpermit] protocol 'sooretjaddress""mask"[operatorsoarce_port} iM dest_address ff 
"mask* [operator dest_portJ 

J ji<:i\t»imanjI.tj.!i majjrij u] Acccss-Crono comm and U KjjljjQj.ap plyaH A CL is the fbllowmi; : 

cJsc ] 4)sn(conn K |Jp access-group M nccess_flsf^iiCTme ,,F [in|otitJ iritorfacc “interface^ame - * 

Lets soo all the oiuments or the ACL command below; 

* OccessJLs t_name ; Give a descriptive name of the specific ACL The same name is used in 
the access-group command. 

- line iioe_numticr i Each ACL entry has Its own line number. 


* extended: Use this when you specify both .source and destination addresses Ln the ACL. 

* deny [permit: Specify whether the specific traffic is permitted or denied. 

* protocolt Specify here the traffic protocol (IP, TCP, UDP etc]. 

* sourc^address mask: Specify the source fp address/network that the traffic originates. If 
ft's a single IP address, you can use the keyword 1 host without a mask. Von can also use the 
keyword "any" to specify arty address. 

E f 

* [operator source^portj: Specify the sou rce port number o f the origin atir g tra ffic, The 
"operator" keyword can be “It" (less than), "fit" [greater than), eq" {equal}, "Neq" [Not 

equal to), range" (range of ports). If no sourco_port is specified, the firewall matches all 
ports. 
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* de$t_address mask: Th Is is the dest inat lo n l p address/network that t he source address 
requires access to. You can use also the “host* or ‘any 1 keywords, 

* [ctperatar dest_port]: Specify the destination port number that the source traffic requires 
access to. The "operator" keyword can he "ir (Less than), H gt H (greater than), "eq H (equal), 
ff Noq" (Not equal to)* "range" (range of ports). If nodesf-port is specified, the firewall 
matches all ports. 

The ACL examples below will give us a better picture of the command formats 

I'Xiiiutdet 

dscoasa(config)# access-list DM2JN extended permit Ip any any 
dscoasa(config)# access-group DMZJN in Interface DMZ 

The above will allow ALL traffic from PMZ network to go through the firewall 

Examples 

cisroa sj( config)# access-list INSIDEJN extended deny top 192.168.1.0 255,255,255.0 
200,1.1,0 255.255,255.0 

cistoasa(conflg)# access-list IN51DEJN extended deny tep 192.168,1.0 255.255,255-0 host 
210.1.1.1 eq 80 

clscoasa(conlig)# access-list INSIDEJN extended permit ip any any 
ciscoasa(conng)# access-group INS1DEJN in Interface inside 

The above example will deny ALL TCP traffic from our internal network 192.168. 1-0/ 24 towards 
the external network 200.1.1.8/24. Also, It will deny HTTP traffic (port 80) from our internal 
network to the external host 210,1.1.1. All other traffic will be permitted from inside. 

« ' * 

lx amidcS 

i 

l Cisco ASA Version prior to 8.3 

clscoasa(cDiifig) # access-list OUTSIDEJN extended permit tep any host 1 DO. 1,1.1 eq 80 
cUto<i5n[conflg)tf access-group OUTS IDEJN In Interface outside 

The ACL above will allow AN Y host on the Internet to access our Web Server host (100.1.1*1). 

For ASA versions prior to 8.3, the address 100.1.1,1 is the public global translated address of our 
Web server. 











Cisco ASA Version U.3 and Later 


mbc Web Server has a private IPeonfigured on its interface (Real IP address), theji for ASA 
versons &3 and later the command *111 be [assume private JP of Web Server Is J 92 , 16(1 U): 


ckcoasateonilR)# access-list DUTSIDEJN extended permit tep any host 192.1 £8, M eq fiO 
dscoasattonfig]* access-group OUTSIDEJN in interface outside 


3,2.1 Editing Access Control Lists 


As we Have said above, an ACL consists of one or more Access Control Entries [ACEs) which are 
command lines with permit or deny statements. By default, when you add new ACE lines, these are 
appended to the end of the ACL, Also, ynu can delete or insert new ACE lines anywhere in the ACL 
by using the "line - parameter in the access-list commaFld- 

You can see the Line numbers of each ACE entry by using the "show access-list [name)" command, 
rumple; 

Assume W( have an ACL With name "INSIDE-IN - , We can see the line numbers in the ACL as shown 
below: 

ASA1W show access-list IN SIDE-IN 

access-list INSIDEdN; 3 elements; name hash: Oxfl 656621 

access-list INSIDE-M line 1 extended deny tep host 103, LI 2 anyeq www(hstcnt-12) 0x4Wc3b92 
access-list INSIDE-IN fine 2 extended deny tep host 10 LI. 1.12 any eq https (hitcnt=5) 0xefe6d38a 
access-list INSIDE-IN line 3 extended permit ip any any (hitcnt-3791j Qxece2$99d 

As shown from the command output above, we have 3 lines in the ACL 

Now, let's say we wan! to Insert a new ACE entry between lines 2 and 3 of the ACL above: 


ASAlWconft 

ASAl(config)fl nccess-llst INSIDE-IN line 3 extended deny tep Host I0,t,l,2 any eqsmtp 
ASAl(conftg)tt show access-list IN5I1HMN 

access-list INS1D&IN- 4 elements; name hash; Qs)16Sd62l 

access-list tSSIDG'thl line 1 extended deny tep host IQ,LI,12 any rtj www (h/lmf* 12} Qx4I0c3h92 
access-list INSIDE-tN line2 extended deny tc/' host 1(11332 <uiy rtj A ftps fhttcnt*5J QxefeOdJSu 
access-list INSIDE-IN line 3 extended deny tep host 10, f, f.lf nit \v n i snilp (hitent-o) OxaOOS7167 
ace css-list INSlDE-lN line 4 extended permit Ip rr^v fhffmf OTVIJ DxwrfW W 










As you can see from the output above, a new ACE entry has been inserted at line 3 and the previous 
'line 3” entry has become "line 4*. 

In order to delete a specific ACE entry, just use the "no" keyword in front of the ACE entry: 
ASAl(config)# no access-list INSIDE-IN extended deny tcp host 10.1.1.12 any eq www 

3.3 New ACL Features in ASA 8.3 and Later 

In ASA versions 8.3 and later there have been a few important new features regarding Access 
Control Lists. We will see them below. 

3.3.1 Global Access Control List 

As we ve seen above, ACLs are applied on interfaces using the "access-group" command. 

In newer ASA versions (8.3 and later) you can also apply an ACL globally as following: 

dscoasa(config)# access-group "accessjist_name" global 

An ACL applied globally with the "access-group global” command applies a single set of global 
rules on all traffic, no matter which interface the traffic arrives at the security appliance. However, 
it affects only traffic in the ingress (input) direction (i.e into the interface). 

Example 

! The configuration below will allow all internal hosts to access only the internal SMTP server 
(192.168.1.10) for sending emails and deny all other SMTP traffic from our internal network. 

ciscoasa(config)# access-list SMTP extended permit tcp any host 192.168.1.10 eq 25 
ciscoasa(config)# access-list SMTP extended permit tcp host 192.168.1.10 any eq 25 
ciscoasa(config)# access-list SMTP extended deny tcp any any eq 25 
ciscoasa(config)# access-list SMTP extended permit ip any any 

! Apply the rules above globally no matter from which interface the traffic comes from. Useful 
when we have many interfaces on the ASA. 

ciscoasa(config)# access-group SMTP global 
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3.3.2 ACL Changes in ASA Versions 9.x (9.0,9.1 and later) 

!n Cisco ASA Version 9.x there were some changes in Access Control Lists regarding IPv4 and IPv6 
traffic. Now, on the same ACL you can have both IPv4 and IPv6 addresses {as source ant! 
destination addresses on the ACL}. 

Also, the "any 1 ' keyword in an ACL has a different meaning in version 9x Now, if you have the "any" 
keyword in an ACL entry in version 9.x and later, it represents "ALL IPv4 AND IPv6 addresses", if 
you want to reference "ah IPv4 addresses only" in an ACL, then you must use the keyword 'any4", 
Similarly, if you want to reference "all IPv6 addresses only", then you must use the keyword "any 6". 
If you are migrating from version G.xandyou had a keyword "any" in yo Li r ACL con figu ration, this 
will be changed to"any4" in the new configuration running under version 


Example; 

t The rule below wilt allow only IPv4 traffic to access host 19. LI A from the Internet 

ASA f con fig)# access-list OUTSIDE extended permit ip any-* host 10,1.1,1 
ASA (con Jig)# access-group OUTSIDE in interface outside 


i ■ 
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Controlling Inhmmtl ami Outbound Traffic with 
AC1.S 


\ Is a thousand wmitU Refer lo the picture <ILt|tr&m hyluw for die example *tui i,r ^ i>s 
^ Tilt'll examplrii will shew ynu bnw in control Inhuuiid iiihI (Juthuund Trail it; Iknv. 


DMlNoMMlt 

10.P.0.B /Z4 



Bor die Web and email Servers above, we have created static NAT mapping In order to translate 
thdr real private addresses Into public addresses that ore accessible from die Internet In addition 
lu Hie static NAT statements, we have to use also AC Ls to allow the appropriate inbound traffic 
towards our seivers. 
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r-sgsRsasffi lasssssssss 

d«oi»»(ranH l i)ll ncccm-Rroiip OUTStOlHN i» 

i1slo;is;i(™iHb)iJ ncWM-llul DM/ IN vxtfiiclcil deny i|> liny JMiy !<•« 
clxcoasalranllftP ncKtfFffrtiuji DMZ-1N in Inltrfiini 

As yo» cm see front the ACt, irtatements, wu nIJuw "miy" imflflir Cl-e Uiienwt irofllc) ifljimws tlw 
public II 1 aildrawtfSflfour Wubjind email tferverf un |h« iitipii>|>rlnlc polls only - 1LI ^ ^5), ^ so < 

ii]l trafficuJlMlnntlng Ih>m the DMZ server* lit denied jioJ I twit n.sinft the DMZdN ALL T hts is a 
good security practice in follow because If a DM/, server Ih copiprtmilstJil from mitslik\ ilioflitochor 
will not be able to oecess anything rise from the DM/ stdiio. 


Chi n ASA Verxlmi II,:l mid Inf w 


Irom Cisco ASA version fl r 3 and later, you must specify the Itifttl IP address Siv I he ACL instead of Slie 
Mapped public IP address, From example above wo have the fo I lowing coni IguraL I on: 


i Tirsi r rente the static NAT tratfsinttotis 

cJstnsisa(eonf 1 p;) N object network WCb_SCrvcr_Slnlic 

ciscoa s a[conflg-rictivorh-oblcct]tf host IOXJ.0.1 <- Heal Jl'of Well Server 

dicoasa(conflg-network-objcct) it nat {DM / 1 outside) static 100.1.1.1 <r Mopped IP 


d scons a (con Of; }F object network email^server_sl;ilic 
eiscoa»a(cotine-nelwork-ob|ccl)tf host 10,0.0,2 <r Heal Ip of Cmall Server 
tlscoasafronrig- net work-object,} W not (DMZ, unhide) static 100,1.1.2 *- Mopped IP 


f ptmv nlltiw only the ahmtuhly ntvesmry parts (itft mut 2S) from Internet 


dJcoasafcMillRj# access list OUTSIDE IN extended permit Icii any host 111 0 o t 
cisco.,sa(conn 8 }B acccssiht OUTSIDERN extended permit Icp ony host I O p 0 2 
elscoasafcQnflR)(l access group OUTSIDE-IN In interface outside 


c*l ill) 
d] 25 












ftai ice that we 1»» used the Real IP add resses (10.0.0,1 and 100,0.2) in the access list entry a pd 
ftQT the nu pped public I P ad dresses. 

^ t ., ., r i rt •»? li»nlv I dent ftV NAT to Inside \riunrk when .trccssinc PMZ 

^ we have mentioned earlier, ACLs. in. addition to restricting traffic flow, they on be used also to 
identity traffic for applying other actions to it For our diagram above, assume that we want to apply 
Identity NAT to our Inside network when this communicates with the DMZ. In other words, when 
hosts in network 192463.1.0/24 initiate communication to network 10-0.0.0/24 r then we don t 
want to translate them. To disable NAT translation from a specific high security interface to a low er 
s^rity interface, we can use the nat 0 command (Only in versions prior to 8-3). An ACL can be 
used together with the nat Q command to identify which traffic flow mill not be translated. 

Cisco ASA Version Prior to EL3 

ct 5 COasa(config)lf access-list NO-NAT extended permit ip 192.168.1.0 255,255.235,0 10-0.0.0 

155255,2554) ^ Match Traffic from Inside to DMZ . 

dscoasalconfig]# nat (inside} 0 access-list NO-NAT <rDo not translate traffic matched by mis 

tucoasa(couflg)» nat (Inside) 1 192.168.1.0 255,255,255.0 

ttsroisa(cenfig)tf global (outside) 1 interface ^-Use PAT when going from Inside to Outsk e 

The configuration above applies for versions prior to 8.3, The next scenario is much more popular, 
let's proceed with this. 


Vrn.iriu 3: Hidivctlkni.il rnwmunifJlion between lnsfdennd DMZ Networks 

The previous scenario 2 above w orks only for traffic going from Inside to DMZ (and not vice-versa), 
if we want to hive bidirectional communication between Inside Network and DMZ, then we must 
configure Static NAT translation between the two networks. Specifically, we can create a static 
l*al«XME of The Inside LAN ( 192,168-1.0/24] when rommuntcating with DMZ. This means that 
source IP addresses of Inside LAN hosts wifi not be translated when communicating with DMZ 
(Identity NAT). Since we will use static mapping, this will allow also access from DMZ to Inside 
(tentrolled by an ACL ufcourse). 

















Reforrinc ,ggin to the previous dlegnm In scenario 1 ehovo, we will creole* 
Inside LAN. Let's sec the commands needed /or this scenario: 


Static Identity NAT of 


rkrn ASA Version Prior to 8 3 

dscoosolcnne)# static (Inside.DMZ) 192.1A8.1.0 »»«25S.Z5S.25S.0 

The above creates a Static Identity NAT of inside LAN (between inside and DMZranes). The hosts in 
Inside Zone will not be translated when going to DM?. Zone. Moreover, this configuration will allow 
access from DMZ to In sid e if needed 


; Now olfci nr ufcfsi from DMZ tc Instde as needed. This access is control led by dfttzifi A CL. 

ciscoas^fco n fig)# access-list, dm^fn extended permittep host ID.OlO. 2 host 192.168-1. i et] Z.> 
ci$coasa(config)# access-group dmzin In interface DMZ 

The ACL “dmiln" will allow access from DM2 host 10.0.0.2 to Inside host 192-16&-1.3 port 25. 

i 

Cisco ASA Versions 8.3 and later 
To ea nfifiure scenario 3 above in versions 9.3 and later: 


! Configure the static Identity NA T 

cJsLoasaftonfig)# object network inslde_identlty_nat 

ciscoasa(con Jig-network-oEijecl)subnet 192.16BXQ 255.255.255.0 

ciscoa.sa(conng)# object network insIde_network 

cJsxoasaEconfig-network-object)# subnet 192.168.1.0 255.255.255.0 <r Internal subnet 
ciSGoa5a(confi E network object)# nat (inside, DMZ) static Iusidejdentlty nat 

' No lv of low access from DMZ to Inside as needed. This access is controlled by "drillin'" ACL 

clscoasa(config)# access-list dmsln extended permit tep host 10.0.0.2 host 192.16© 1 3 eq 25 
ciscoasafeonfig)# access-group dm mi in Interface DMZ 4 

Scenario 4; Apply Outbound Res!fictions from Inside tn DM7 

Now, assume that users on the Inside network (192.166.1.0/24) are only allowed to access the 
email Server at port 25 on the DMZ (to retrieve email) but should not have any access to the rest of 
the DMZ network. All access however towards the Internet should be allowed. 
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clscoasatfonflfil# ncctss-llst 1N5IIMMN extended pniou Up H2Jfd1.Uuri5.2Sl2fL3.li lunl 
10.0.0.2 pq 25 

dscmsntcflnflu)# am-ss llsl INMItLMN rxtnuleil ilrny l|» l*J2JhlU.U ZaiZSK.lAfUl 10,0 0.0 
25S.Z5S.255.0 

ds™asa(conil£]#acrrss.llsfc 1N51MMN txtrmlnl pmnit Ip VU JtdU.H ItnAJKMltftJlany 
cticoas;i[roiiflK)N wcrcss^roup INSIliFMN In interLitm IhMiI* 

3.5 Configuring Object Groups for ACCs 

Imagine that you are rc&pnn&lhh' for a huge network with htnidrmh nl Umin pitfi oiled by >\ Cisco 
Firewall, Imagine also that your organism km's si'curiiy pulley dktmea lluiUhm 1 (dumld bn 
access control for nil hosts in your network, Crew I Inga ml nuibvtiilntiig Arccss Control MM* hi Midi 
an environment could bon daunting task, 

Fortunately, Cisco Introduced the obJect-Rrmip ammuuul which nlhw* tin' In ewnlt inlmkiKtraloir 
to group together objects such as hosts, networks, pons He, Tlitfso oh] eel groups cun Mien be used 
in an access-list command to reference all objects with In tlui group. This helps in riHlittu iuuhi|ile 
lines In the access list and makes ACL ml ministration imn.li easier. Alsu, nny i liiingofi In hosts, ports 
etc are done Inside the object-group and are animiiiiUcLilly rdleeted In I lie ncir^sdbt. 

There are six types of object groups; 

■ N etwork: U sed to gro up together It tisls or Killmel s, 

* Service: Used to group TCP or UUP port numbers:.. 

* Protocol: Used to group protocols, 

* ICMP-type: Used to group ICMP message types, 

* User; Creates Local User Croups (used In Identity Firewall fcnUiro) 

* Security object group (Version 9.x): Used with Cisco Tj us l Sec, 

VVe will describe the first two types (Network ami Service object groups) since they are the most 
Important and papular types used hi ACLfl, 







3 . 5.1 Network Object Grou ^ fol| „ w , ng: 

The command format of tbe Network Object» »»« of the oh kcl 

dscoMlcMl*)* ^'».»’S3S^”nnea single Host 

groof. This will Wj*,SSU-.hi«| W* 1 Wh#,e S “ h " W 


ci 5 coa 5: .[conr, g .nctworlt«ne ()b|ec[ ., n 

ctscoa$a(config-nctwork)ll » 

c[scoasa(eonflg-network)k ecu 

dscoa5£(config)# 


Exjimtitgi 

. rnair 1w ’ l v mA ohte ^Su wtit sb# 

ciscoasafconfig}# object-group host 10,0,0.1 

ciscuasa(con fig-network)# jeCt hoS i 10 . 0.0 2 

ciscoasa(con fig-network)# net wo 

ei sen as a (eon fig)# object-group network WlZJ ^ 2 SS- 2 S&. 2 SS .0 

ciscoasa(eonfxg-network)W networ o 

* llflini?rVienhi ccteronp withaiL^^ . __ Jran v object-group WEB.SRV eq 80 

ciscoasafccmfifijiTaccess-fist OUT-IN extended permit tcp a 

, Lj * rwes 5RV1 for our Web Servers ( 10 . 0 , 0,1 

In the example above, we created a network object g J 

and 10.0.0.2], With a single ACL statement we allowed TCP access from Onts.de towards <h,s 
specific object-group forport 80- Notice that the network object-group m the access, ist command 

. j. „ .a. hull wd also In place of the source address 

is used i n pi ace of th e destination ad dress, lit cou Id bt- ■ 

accordingly. 


3.5.2 Service Object Groups 


The command format of tilt Service Object Group is the following: 

cascoasa(conng)# object-group service group^name "{tcp [ udp [ tcp-udp) ^-First Define a 
name of the obj. group and specify what Mind of service ports will follow (tcp, udp or both) 
ciscoasa(config-service)# port-object {eq [ range} i 'porl_n umber" ^-Define service ports 
ciscoasafcon fig-service)# exit 
ciscoasa(cnnfig)# 
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* pratpt Ll!L£AD'itiLQbki’tliaWi 

clsconsnleoidlg)# ohjechfcrtmp serviceDMZjSdRVlCtSIrp 
c jsconsa(conn|fServlc¥)# port-object c<\ http 
t-isctfwsn(cprtng-servte«># port-object *q https 
i |scod^i( col,n S' fiervicc J W port-object range 21 23 

cIscMSotcoitflg)** object-group network DMI.SUIJNET 
C i scoa$a [coi!fle'iietwork]#network-object 10,0.0.0 255*255*255.0 


• U sing tin- ph iect &rLHji >_witU ?t\ACIn 

c tsCoasa(conng)tt access-list QUTSUHMN extended penult tcp any objeet'gtvtni 
pjm_$u BNET ob) ect-gr oup D M2LSERV ICES 


In our example above, assume that we have a DM2 network 11X0,0.0/24 hostitVK u ^ W * 
services of http, https, ftp (port21),ssh (port 22) ami telnet (port 23)- For this scemnio ’■' ,l 


a PM2 network object group (DMZ_SUUNET) together with a service object fcftmp 
(DMZ_SERVICE5). The DMZ_SUDKET group is used in placeofthodestinntloiHiddrcsiS.nttd the 
DMZ SERVICES group is used in place of the destination port. 


3.6 Time Based Access Lists 

Another important feature of ACLs that is very useful is "Time-Bused At.Ls .Lou tan append to an 
ACL command a time-range period which means that this specific ACL entry will be valid only 
during the specified llrae-range. First you need to define the t Hue-range" and then use this time 
range on an ACL entry. 

l-ynmnlc \ i 

Assume we want to restrict web access for the Internal network during working hours from 0*00 
to 17:00. 

StcnlT [lofine llic time-rarmr period 


Ym can use absolute time ranges (such as January 1 to January 20) or periodic ranges (such ox 
Weekdays or every Sunday for example). 

ASA 1 (config)# time-range workliours 

ASA l(eonfig-tl me-range)# periodic weekdays 09:00 to 17:00 

ASA 1 [confl g-tl rne-ra nge) U exit 
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up p7_! Create an 


»n whirh will li" l ' ilng1 ' 


ASAl(ranfig)# access- 

workhours 

A$Al(config)# access- 


■list INSIDE-IN extended deny Up nny any cq vvivw lltne-ran K e 


-list INSIDE-IN extended permit ip any fu»y 


ASA l(conflg)# access-group INSIDE-IN in internee inside 

From the configuration above, if a user tri es to access fch e web and i ht? t tin o -1.11 ige i s w 1 1 h i n I bp 
'workhours* period, then the first ACL entry will be enabled and therefore ibe user tviN be hlncktHl, 
if the time-range is outside the" wo rkhours" period then the first ACL entry wilt he di&ihled and 
therefore the second ACL entry will permit the traffic. 


ExanmleZ; 


Assume we want to allow web access fora specific DM2 server in order to download security 

updates every Sunday between OB;00 - 11:00. For a|] other time the access to Internet wilt he 
blocked. 

ASAlfconflg)# time-range updatehours 

ASA1 [con fig ■ time-range] # periodic Sunday 08:00 to lltOO 

ASAlfconfig-tinie-rangeJ# exit 



ASA1 (config)# access-list DMZ-1N extended deny ip any any 
ASA 1 (config )ft access-group DMZ-IN in interface DM7 



















Chapter 4 Configuring VLANs and Subinterfaces 


In this Chapter we wilt focus on Interface Layer 2 connectivity of the Cisco ASA firewall, Let me 
remind you that each interface (physical or logical) of the ASA appliance is used to create a security 
zone, which is basically a network segment (Layer 3 subnet) hosting PCs, Servers etc. Each security 
zone is protected by the firewall from the other security zones on the appliance or the Internet, 

In order to build a secure network that follows the principles of ^Layered Security", it is a good 
practice to segment your network into different security zones [Layer 3 subnets) which are 
controlled and protected by the firewall. To create security zones, you can use cither Physical or 
Logical Interfaces on the appliance. However, in order to create layer 3 subnets, you must hav e slso 
a different Layer 2 VLAN for each subnet 

Cisco ASA firewalls support multiple 302,1 q VLANs on a Physical interface. This means that an 
administrator can configure multiple Logical interfaces [subinterfaces) on a single physical 
interface and assign each logical interface to a specific VLAN, For example, a Cisco firewall 
appliance with 4 physical interfaces is not limited to having only 4 security lones. We can create fot 
example 3 logical subinterfaces on each physical interface, which will give us 12 (4x3) different 
security zones [12 VLANs and 12 Layer 3 subnets). Depending on the ASA model up to 1024 
maximum VLANs can be configured on a single appliance (the ASA SSSS'X supports 1024 Vl_AN$). 

if you configure subinterfaces (VLANs) on a physical interface, then this physical interface must be 
connected to a Trunk Port on a Layer 2 switch. In addition, If yon enable suhinteridres, you typically 
do not want the main physical interface to also be passing ti n the. You can achieve this by unfitting 
the uameif command [no name If) on the physical Interface, 

To configure logical sub interfaces, use the«if£Jtiter/frv argument of the lulci face wnmnnul In 
global configuration mode. This will put you In subiniei Lice configuration mode, w here you have to 
assign a VLAN ID using vlan id command. As we mentioned In 'Thule Configuration Steps" Section 
of Chapter l, we also have to configure a name for the suhintemre [uAinrlfl, a security level and 
an IP ad dress. 
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..tnand h- hr -M VUN 

Interface 

cl«ofl&i(«iiflfr >u * i fl^ v,jn J w JJ - l C( 1 a name to the suhintertace 
(UraaMjconnu suWOJ - 0 . 100 - (-Assign a security level to the subintcrface 


Lei's sec an example icenarlo below with a network diagram, 






riuidte 

isrtMJ.Mi 



i 



In the example above, assume that we wanted to segment o„r internal network into two security 
rones [Insldcl and Inside!). Maybe inside! zone win host ail user PCs. and Inside! zone will host 
all internal corporate servers (email server, domain server etc). To build this topology, we need to 
create two VLANs on the switch (10 and 20), on, for each network subnet. Instead of using two 

Physical Interfaces of the ASA Orcwal] (one for each zone), we need one physical interface with two 
logical Interfaces, as shown below; 

• G0/J a Physical Interface 

- GO/Li s Logical 1 n terface (suhin ter face) assign ed to VLAN l o 

* GO/1.2 a Loglca] interface [subinterfate) assigned to VLAN 20 
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The two logical Interfaces (GO/U and GO/1.2) behave justhke the physicaUr terrace, and they a re 
Iwd separate 'legs" of the firewall. 

See the lain pi c con figu rati on below for deta ils: 

tfscoasa(cojing}W Interface gigabltedierneto/i 

clscuasatconflg-if)# no nameif ^Disable the physical Interface from passing traffic 
ciscoasa(coilIlg-IQ# no security-level 
cl5coasa(conflgdf)# no Ip address 

c|scoasa(conflg IQ# exit 

ciscoasatconflg)# Interface glgab I tc( Herne t O/IJ 

clscoasa (con fig-sub IQ# vlan 10 

dscoasa(config-subiQff nameif inside 1 

clscoasa(conflg-subif)# security-level 80 

cisco a sa (con fig- s nh If) # Ip address 192.168.1.1 255.2SS.25S0 

4 

clscnasafcunflg)# Interface glgabltethcroet 0/1,2 
dscoa5a(conflg-subif]K vlan 20 
clscoasa{amfig-suhtf}W nameif Inside2 
dscoasa(conng-SubiQ# seen city-level 90 
eLscoasa(config-subiQ# ip address 192.168.2.1 25S.2SS.2S5.0 
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Chapter 5 Configuring Threat Detection 
S.l Threat Detection Overview 


Threat detection was introduced to allow the security appliance to monitor threatening packet 
flaws. This feature can in form administrators sbemta possible attack and also has enough 
intelligence to automatically block threatening IP addresses or ranges (mainly for scanning 
threats). 

Threat Detection is a toot to identify, understand, and stop attacks before they reach the Internal 
network infrastructure. It relies ona number af different triggers and statistics on the firewall 
which are fired and calculated as the traffic passes through the ASA. 

J hreat detection feature is supported from software versions 8.0(2) so you can enable item any 
ASA which is running 8.0(2) or higher version. Advanced Threat; Detection statistics for TCP 
intercept are only available in ASA 8.0[4) and later. You should note that threat detection is not a 
substitute of a dedicated IDS/IPS solution; it can be used in environments where an IPS is not 
available to provide an added layer of protection to the core functionality of ASA. 

I he threat detection feature has three main components: 

1. Basic Threat Detection (enabled by default) 

2, Advanced l hreat Detection [only ACL statistics are enabled by default] 

' StarinLn £ Threat Detection [you can shun hosts which scan the protected network) 

Let's walk through each one of them below. 

5.2 Basic Threat Detection 

Basic threat detection provides very basic security where it monitors the rates at which packets »i* 
dropped for various reasons by the ASA asaryhote. As the name suggests, it provides basic 

fu nctiona lity and is applicable on the entire device beca use it does not give you the granularity W 
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monitor anything very specific. In general, it uses the AEP4Jrop engine on the firewall to general* 
the statistics. 

vVith Basic threat detection, ASA monitors dropped packets for these events! 

* packes denied by Access Lists (ACL Drop], 

« Bad packet format (such as Invali d-ip-h eader or i nvalid-tcp-hdr-length}, 

* Connection I limits oxcee ded ( both syste m-wide resou rce J Im Its, an d (i m its sc t in the 
configuration), 

, poS attack detected (such as an invalid SPS, Stateful Firewall check failure), 
t Basic firewall checks failed (This option is a combined rate that includes all firewall 

related packet drops in this bulleted list. It does not include non-firewall -re I a ted drops sue i 
as Interface overload, packets failed at application Inspection, and scanning attack 
detected-) 

t Suspicious ICMP packets detected. 

• Packets failed application inspection. 

. interface overload. 

• Scanning attack detected (This Option monitors scanning attacks; lor example, the ir* 

TCP packet is not a SVN packet, or the TCP connection failed the 3-way handshake. J j u 
scanning threat detection takes this scanning attack rate information and acts on it >y 
classifying hosts as attackers and automatically shunning them, for example,) 

» 5YN Attack Detection Incomplete session detection such as TCP SYN attack detect* or n 
data UPP session attack detected- 

Whert the ASA detects a threat, it immediately sends a system log message (733100), 

For each event, basic threat detection measures the rates at which drops occur over a defined 
period of time which is known as the average rate interval (ARI) which ranges from 600 seconds 
to 30 days, tfthe number of events that occur within the ARI exceeds the configured rate 
thresholds, the ASA considers these events a threat. 

Basic threat detection has two configurable thresholds for when it considers events to be a threat; 
the average rate and the burst rate. The average rate is simply the average number of drops per 
second within the time period of the configured ARI. Tor example, if the average rate threshold ior 
ACL drops is configured for 30D with an ARI of 600 seconds, the ASA calculates the average number 
of packets that were dropped by ACLs in the last 600 seconds. If this number turns out ta he greater 
than 30 b per second, the ASA togs a threat. 

As we have said above, whenever a basic threat is detected, the ASA simply generates syslog 

message % AS A+73310 0 to alert the admi n istralo r that a pote nt i al th real, has been Ident Ifi ed. The 
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( jn ernai i , f j am an administrator and if ] want 
ASA can be configured to send these alert messes th(s a ] er t number ontl then I can act 

to get alerted then I will receive an email ^ ^ category can be seen with 

over it The average, current, an J total n uni e ^ ^ deteCt ion works on the overall d ro Pi 

the show threat-detection rate cardma'id. ± ^ in f> traffic o r preveniJuiureattBc^, 

on the firewall, .w ^imring or reporting 

BMlcthffiMd£tec^m]jL2iirM3d£!l°^ 

mechani5.rn .- 

e 2.1 Configuration and Monitoring of Basic Threat Detection 


Simply enable basic threat detection statistics using 


the following command: 


ciscoasafconflgj# threat detection basic^threal 

Not* Basic threat d etection statistics are enabled by default and have no performance impact You 
can enable it from die ASDM by going to Configuration-* Firewall-*Threat Detection to enable or 
disable this feature. 

A sample logthat is generated after enabling this command can he seen below: 


Aug 2S 2013 03:33:19: %ASA-4-733lOO: f Stunning] drop rate-1 exceeded Current burst rate is 10 per 
second, max configured rale is 10: Cumene average rate is 8 per second, max configured rate is 5; 
Cumyidp've total count is 4860 


Aug 2$ 2013 08:38:21: %ASA-4-733100: [ Scanning] drop rate-2 exceeded Current burst rate is 8per 
second, max configured rate is 3- Current average rate is 5 per second, max configured rate is 4; Cumulative 
total count is 20163 


Au 0 25 2013 08:42:15: %ASA-4-733100: { Scanning] drop rate-1 exceeded. Current burst rate is 10per 
second, max configured rate is 10; Current average rate is 7per second, max configured rote is 5; 
CumuiariVe totei co-jjflt is 4552 


Aug 25 20U 08:42:28: %ASA-4-?33lOO: ( Scanning] drop rate-2 exceeded Current hurst rate is 8 per 
second, max configured rate is 8 ; Current average rat«is S per second, max configured rate is 4 ,- Cumitladvt 


rore-t eeceertei Ottrent burst rater 10 p«- 

C "™ t ° ve ^ ™ K ,s 7p ™"'"» * ft 
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When you enable basic threat detection using the thicuL-detection basics Inc a I roimimiid, you 
eaft view statistics using the show threat-detection rale command in privileged liKli<! mole, 

ciscoasa # show threat-detection rate 

Following is a sample output from the show threat-detection mte euiimiund; 


Average (eps] 

Current(c|>s] Trigger 

Total events 

l&minACL drop; 

0 

0 

0 

165 

! -hour ACL drop: 

0 

0 

0 

123 

1-hour SYN attek: 

4 

0 

5 

51332 

jft-min Scanning 

0 

0 

29 

m 

l-JaoLrr Scanning: 

106 

0 

10 

304776 

lO-min Firewalk 

0 

0 

3 

22 

Z-Jrour RrewaW: 

76 

0 

2 

274844 

Ifl-mjj] DoS afCCfr 

0 

0 

0 

6 

l-bojjfDoScirtcfc: 

0 

0 

0 

42 


The output shows the following: 

* The average rate in events/sec over fi xed ti m e periods, 

« The current burst rate in even fcs/sec over the last completed hurst interval, wh leh Is 1 /3 Ul hoi 
the average rate interval or 10 seconds, whichever is larger 

- Th e number of times the ra tes were exceeded (Trigger) 

• The total number of everts over the Axed time p eriods. 









iijifmiH v li ii.ii' 1 s at \hisk Tl muit Detection 

Ui order to see thedefaultvalt.es of Baste Threat Detection events, run the following command: 
clscqasafl show m no log-con fig all III rcat- detection 






threat-detection rate das-droprate-interval 600average-rote 160 burst-rate 400 
threat-detection rale dos-drop rate-interval 3600 average-rate BO burst-rote 320 
ihf&xt-dctectfon rate bad-packct-drop rate-interval 000 average-role 100 burst-ittie 400 
thr&fctktectim rute bad-paeket-drop rate-interval3600average-rate BO burst-rate 320 
threat-detection row ad-drop rate-interval 606 average-rate 400 hurst-rate BOO 
threat-detection rale ad-drop rate-interval 3600 average-rate 320 burst-rate 640 
threat-detection rate cann-limit-drop rate-interval 600 average-rate 100 bunt-rate 400 
threat-detection rate conn-limit-drop rate-interval 3600average-rate 80burst-rate 320 
threat-detection rate temp-drop rate-interval 600 overage-rate 100 burst-rate 400 
ihreat-detectwn rate iemp-dtop rate-interval 3600 average-rate 80 burst-rate 320 
threat-detection rule scanning-threat rate-interval 600 average-rate 5 burst-rate 10 
threat-detection rate scanning-threat rate-interval 3600 average-rots 4 burst-rate 8 
"■Output Omitted— 


You can fine tune the default values as following: 

Lets say we want to change the DoS event trigger rates from the default values: 

tist easa(config) u threat-Uetection rate dos drop rate-intervaI fcfin ™ * , „ . 

rale lOfl ^ ie l ‘ llerv ^ 1 “00 average-rate 60 burst- 


In the erample above, theASA will i ssue a ^ 

DoS events ' - l™SA.-4-733lO) when the number of 

&LS * KCt!¥ds GO per second over 600 seconds Also if lino n c 
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5,3 Advanced Threat Detection 


Tirana#! threat detection statistics show both allowed and dropped traffic rates for Individual 
foltitls Atfcls a# hosts, purls, protocols, or ACLs. Therefore It offers a more granular control in 
Kuriitdrfrhi threats, by default. Advanced Threat Detection Is enabled only for ACL statistics, 

_ H-njjpg on the type of statistics enabled. It can have performance Impact on the device. I be 
ihrcat'** elect * pn slnllSllcs host command affects performance In a significant way; if you have a 
,, 1 ^ traffic load, you might consider enabling this type of statistics temporarily. The threat- 
(leircltofl statistics port command, however, has modest impact, 

pvir host. port, and protocol objects, Threat Detection keeps track of the number of packets, bytes, 
m d drop* that were both sent and received by that object within a specific time period* Threat 
Detection keeps track of the top 10 ACEs (both permit and deny) that were hit the most within a 
specific time period. 

I ike Basic Threat Detection, the Advanced Threat Detection is purely informational. No actions ar c 
taken to block traffic based on the Advanced Threat Detection statistics, 

5.3,1 Configuration and Monitoring of Advanced Threat Detection 

To configure Advanced Threat Detection use the command "threat-detection statistics .If no 
specific feature keyword is provided, the command enables tracking for all statistics. 

dscoasa(conf3g)fl threat-detection statistics (aoce«s 4 lstjhijst|porljprut 0 coljtcp'intercept] 

* access-list; Enables statistics for ACE.s (enabled by default). 

* host number of rate {11213> : Enable statistics for host with specified numher-of-ratc 
Interval. The number-of-rate keyword sets the number of rate intervals maintained for host 
statistics. The default number of rate intervals is 1, which keeps the memory usage low. To 
view more rate Intervals, set the value to 2 or 3, For example, if you set the value to 3, then 
you viewdata for the last 1 hour, B hours, and 24 hours. If you set this keyword to 1 (the 
default), then only the shortest rate interval statistics are maintained. NOTE; The “host' 
monitoring may affect ASA performance. 
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a „dUDPP» rtsF '"' th,! " , "‘ n,b ' ! ' 


■N 


e * MI2I3V Enable statistics for TCP 

port number-of rate - 

of w keyword rton-TCP/^^> F IP protocols. 


. Pr ofoco,W — “ 

, jcp-intercept: Enable statistics or 

■ ^tbef£> lloWirlgr 

To monitor the advanced threat detection statis ^ 

clscoasatconfig)# show threat detections jtor the top 10 statistics for 

the "top' keyword on the command above 
It Is very useful to use the top 


displ ay-ratel po rt [pro fcocol j tt>pj 


various elements. 



Evamoleli 

n statistic l °P access-" 5 * 

ciseoasa (coring)# sliow threatdeted matc h packets, including 

in Access Control Entries 

The command above will show yon tl>e ,0 P 
both permit and deny. 

\ Fv;imTTle2: 

Cscoasafconfig)# shove threat-detection rate ad-drop 

With the command shove you can track ACL denies on the firewall. 

Example 

flscoasafewtflg)# show threat-detection statistics host 


If you have enabled the most" threat detection monitoring, yon can see some very interesting 
statistics such as: 

* Tota l number of session s from hosts, 

* Total nu m ber of active sessions for each hos t (u sefu I to identify if there are hosts i n the 
network infected with worms or viruses which generate a lot of sessions and traffic in the 
network). 

* Firewall drops for each host. 

* Application inspeetion drops for each host, 

* Etc 


72 












5,4 Scanning Threat Detection 


St :i|(n j n g Threat Detection is the only one which can actively block (shun) attackers which are 
•ittciiipdng to scan the network protected by the ASA. Unlike IPS scan detection that is based on 
fr|C signatures, the ASA scanning threat detection Feature maintains an extensive database that 
contains |u> 5 t statistics that can be analyzed for scanning activity. If the scanning threat rate is 
exceeded, then the ASA sends a syslog message (733101), and optionally shuns the attacker, if a 
shun is configured, the ASA sends a syslog message 733102 to indicate that an attacker was 

blocked 


KOTES: 


1. The SeanningThreat Detection feature can have a significant impact on ASA perforrnmice 

2. Only traffic that is allowed to pass through the ASA Is affected by scanning threat detection. 
Traffic that is denied by ACL is not detected by Scanning Threat mechanism. 


5.4.1 configuration anti Monitoring of Scanning Threat Detection 


To cem figure Scanning Threat Detection use the command "threat'detection scanning-Hi rent" as 
we will explain below: 



theonsafeemfig]# threat-detection scanning-threat {shun [duration[except! } 

Examnlctj 

ciscoasafccnfig)# threat-detection scanning-threat^ - Just enable the scanning threat 
detection 

Example^ 

dscoasafeonfig)# threat-detection scanning-threat shun duration 36QQ£- Enable scanning 
threat detection and shun attackers for 3600 seconds. 
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j‘Sample^; 


d sconsa (cor fig) IH n re at d elect Ion 
255.255,2550 4r 


scanning threat shun except Ip-addresS 10,1.1*1 

ill real deled Ion and shun a lackers except if j 0.1.14 


Dp Molt VjiIit^ for Scnifiiiu: ThrantJ leUgllilH 

The followli^prc the default values for scanning threat detection: 


Average (talc 

thirst Kale 

S drups/scc over the last 6UU seconds 

10 drops/sec over the last 20 second period 

S drops/sec over the last 2600 seconds 

10 drops/scc over the last 120 second period. 


To change the default values: 


dscoasafcnnflgJH threat-detection rule scanning-threat rate-Interval I ZOO average-rate JO 
hurst-rale 20 

To monitor the scanning threat detection shunned hosts, attackers and targets, use the following: 
clscoasa(con|lg)Ushow threat'detection shun 4- Shows which hosts are shunned 

Shunned float List: 

111 . 222 . 0.1 

200.0.0.2 


To unblock one of the shunned hosts above: 

clscoasa (con Hg) if clear threat-detection shun 111.222,0,1 

•***.*« S c a „„i, lg . thraal attacker * s)ll>w5 attackers which 

0,0 hlenilfk-d to l>e scanning our network. 

111.222,0.1 

































Chapter 6 IPSecVPNs 

^1 C!i'ip ter discusses Virtual Private Networks using the IPSec protocol standard, Cisco ASA 
. „ in addition to their core firewall functionality, can be used also to securely connect 

pppuanctis-j 

h(fr d(stant LA N networks [Sit e-to-Site VPN) or allow remote user s/tele worker s to secure ly 
■iinirnonicate with their corporate network (Remole-Access VPN). So, with the tc chnob^ 

^ c art b ui Id two types of VP N topologies: 

• Slte-tO'Site VPNs (or Hub-arid-Spoke between a hub site and several branch spoke situ. .1 
. Remote Access VPNs, 

In this Chapter we will focus on the above two types of VPN topologies. 

The majority of IPSec VPNs operating today are built using the Legacy IKFvl IPSEC technology. 
However, a new 1KEv2 IPSEC Implementation has been introduced which will he discussed ali ° 111 
fills Chapter. Specifically, we will see howto setup Site-to-Site VPNs using both SKI a 1 and fKEvZ 
IPSEC, Moreover, we will also discuss Remote Access VPN using the legacy IPSEC VPN t.lk tit 

software, 

Before proceed ing wi th the technical detail $ oF configu ring IPS Ec V P N s, it wi 11 be very use f u L t o 
briefly summarize the VPN technologies supported by Cisco ASA. These VPN technologies will he 
discussed in this Chapter and in the next one, 

6.1 Overview of Cisco ASA VPN Technologies 

Cisco supports several types of VPN implementations on the ASA but they are generally categorized 
as either "IPSec Based VPNs" or "SSL Based VPNs”. The first category uses the IPSec protocol for 
secure communications while the second category uses SSL. SSL Based VPNs are also called 
WebVPN in Cisco terminology and will be discussed in the next Chapter when we talk about the 
Anyconnect VPN client solution. The two generaL VPN categories supported by Cisco ASA are 
Further divided into the following VPN technologies. 
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more remote LAN networks over 


tpw Based VPNs ; 

„ '.it* IP Sec VPN: Used to connect two or 

' (,Binternet).I.n«between ASA.o-.SAor Koutcr. 

0 .. with tPSec m Clml: - A vi>S client .oftware is -tolled on user S 

PC to provide remote acee« to -he centre! network It uses the I PSec protocol and 
provides full network wmrtMqr» - -mote user. The users use their 
appllcationsst the een.ral site as they normally would without a VPN in p.ace. 


NOTE: Cisco has announced the End-of-Life of the Legacy Cisco tPS« VPN client. 
It is now replaced by the ‘Cisco Anyconnect Secure Mobility Client' which 


provides both secure 
users. 


SSL and IPSec/lKEvZ connections tP the ASA for remote 


* SSL Rased VPNs f Web VP Nl : 

o atentfets Mode WebVPN : Th is is the first i m pie mental i on of SS L Web VP N 
supported from ASA version 7.0 and later. It lets users establish a secure remote 
access VPN tunnel using just a Web browser. There is no need for a software or 
hardware VPN client, However, only limited applications can be accessed remotely, 
c AnvConnect VPN; A special Java based client is installed on the user's computer 
providing an SSL secure tunnel to the central Site, Anyconnect provides full 
network connectivity (similar with IPSec remote access client). At! applications at 
the central site can be accessed remotely. Also,, in the newest Anyconnect versions 
[3 jc and above), the client supports also ]KEv2 IPSEC to offer remote access. 


KOTE : The newest Anyconnect VPN product from Cisco is called Cisco Anyconnect Secure 
Mobility Client", It is supported on ASA version 6.0(3) and later and provides both SSL VPN 
connectivity as well as IPSec/IKEvZ VPN connectivity for remote users. You need ASA version 6,4 
and fater to use the JFSec/IKEv2 VPN feature, 
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5,2 What is IPScc 


[||fW t,iik about iioiiu' tlu-ary liehind IPS lie in order to have a knowledge base for 
I the discussion iii Isrier sreMmis of this Chapter, 


UJH 


.. (irsGr) Is nnopctl ll!TK standard that enables encrypted cotnimudcation It is a suit ol 

1(P | S |hai provide data confident lullly, Integrity, mu! authentication, A Virtual Private Network 
(VrN') Is fl secure private lunnel overall insecure path (e,g over the Internet). IPSEc therefore is 
l rl l ^ build VPNs over die Internet nr any other non-secure networks. 


irSFc works at the network layer, cnciyjUliiK and ;uithentlendIP packets between a firewall 
^■curity appliance and other participating ] PS tic devices (peers), such as Cisco routers, other Cisco 
nrcwnlls, VI'N software clients etc. because IPSEc is standardiaed, all other firewall vendor >1 
support It as well, so it is ideal to build VPNs between multivendor devices. 

The following IPSEc protocols ami standards will be used later in our discussion, so it s a good idea 
to briefly explain I heir functionality and usage: 

* K5P | ['JuapsLiEal ion Security Payload): This: is tlie first of the two main protocols that 
make up the IPSEc standard. It provides data integrity, authentication, and confidentiality 
services. PSP is used to encrypt the data payload of the IP packets. 

* AM (Authentication Meador): This is the second of the two main protocols of IPSEc. It 
provides data Inlcgrity, authentication, and replay-detection, it does not provide encryption 
services, bnt rather it acts as a "digital signature" for the packets to ensure that tampering of 
data fi.is not occurred, 

* internet Key Exchange (IKE): This is the mechanism used by the security appliance for 
securely exchanging encrypt Ion keys, authenticating IPSEc peers and negotiating iPSEc 
Security parameters. On the ASA firewall, this is synonymous with ISAKMP ns W e will see In 
the IPSEc configuration 

t>»:s, 3DPS, AES: All these are encryption algorithms supported by the Cisco ASA Firewall 
DKS is tlie Wt ' ak <^ one (uses SG-bit encryption key) r and AES Is the strongest one (uses 128 
]1J 4or 2S6 bit encryption keys), 30ES Is a middle choice using 160-bit encryption key 











. Difne-Hellman Gtoup (H» This is a ^ ^ ^ IKE "> 

MD5. SHA-1: These are both Hash Algorithms used to authenticate packet data. SIIA is 
stronger than MU'S, 

. security Association (SA): An SA is a connection between two IPSEe peers. Each IPSEe 
peer maintains an SA database in its memory containing SA parameters. SAs are unit,,*,, 
WentiBed by the IPSRc peer address, security protocol.and secure parameter Index (5P,j. 


6.3 How IPSec Works 


There are five main steps followed by the IPSEc devices: 

1. Interesting Traffic: The IPSEe devices recognize the traffic to protect 

2. Phase 1 (ISAKMF): The IPSEc devices negotiate an EKE security policy and establish a 
secure channel for communication. 

3. Phase 2 (IPSEe): The IPSEc devices negotiate an IPSEe security policy to protect data. 

i. Data Transfer: Data is transferred securely between the IPSEe peers based on the fPSEc 
parameters and keys negotiated during the previous phases, 

S. IPSEe Tunnel Terminated: IPSEe S As terminate when timing out or a certain data volume 

is reached. 

I lie steps above will, become clear when we see actual configuration examples. Let's start with die 
I irst I PS he V PM type that we will describe i n th is Cha pter. S i te-to-Site VPN (using IKEvI 3 PSecJ. 

I 








6.4 Site-to-Site VPN using [KEvl IPSEC 


6.4.1 Site-to-SLte JKEvl IPSEC VPN Overview 



ASA-1 

triavfle utelde 


OutsiSe 


INTERNET 


Sitt-to-SUe IPSEc VPN is sometimes called LAN-to-LAN VPN. As the name imp!tes, this VPN type 
connects together two distant LAN networks over the Internet, Usually, Local Area Networks use 
private addressing as shown on our diagram above. Without VPN connectivity, the two LAN 
networks above (LAN4 and LAN-2) wouldn't be able to communicate. By configuring a Slte-to-Site 
IPSEc VPN between the two ASA firewalls, we can establish a secure tunnel over the Internet, and 
pass our private LAN traffic inside this tunnel, The result is that hosts in network 192,1 At?-1.0/24 
can now directly access hosts In 192.166,2.0/24 network (and vice-versa) as if they were located in 
the same LAN. The IPSEc tunnel is established between the Public IP addresses of the firewalls 
(lDG.lOO.lOQ.l and 200,200.200.1). 















<3A2 


Configuring Site-to- 


Site IKEvJ IPSec VPN 


LAN-2 



As. wuVc described above in "Slow tf'SEc Works 11 ,, there are five stops in the operation of JPSEc. Next 
we will describe the configuration commands needed for each step iri order to set up the YPN, All 
configuration examples below refer to the network diagram for site-to-site VPN. This is for the 
legacy [KEvl IPSEC. Later on we will see also how to configure site-to-site EKEv 2 IPSEC VPNs. 

* STEP 1: Configure Irneresthm Traffic 

We need first, to define the Interesting Traffic, that is, traffic that will be encrypted. Using Access- 
Usts fCryplo ACL) we can identify which traffic flow must be encrypted. In our example diagram 
above, we want all traffic flow between private networks 192.168.1,0/24 and 192-168,2.0/24 to be 
encrypted. 

ASA 1 : 

ASA-1 [conhgjfl access-list lANl-to-LAN2 extended permit ip 102,168.1.0 255.255.255,0 
I'JZ.368,2.0 255.255.255,0 P 

ASA 2 \ 

ASA 2(conllg)ft access-list LANZ-to-LANl extended permit ip 192.IGB.2.Q 255.255,255.0 
1 ^ j_. I ( 3 E3 . i-Q 2^S,i55iZ55iO 


Noli™ that we have to contigura the «act mirror access-list for each ASA firewall participating in 
the IPSEc VPN. I lie Crypto ACI. needs to identity only outbound traffic. The permit statement in the 
ACT means that the specific traffic must be encrypted. 





























for VPN TrnlfiC 

One important issue to consider is the case of using NAT on the firewall for normal Internet access. 
Because iPSEc does not work with N A1", we need to exclude the trallic to be encrypted from the 
l^VT operation. This means In our example that Hie interesting Traffic in the Crypto ACL must not 
he translated {you can use the not o command for this it you are running ASA version prior to 8,3), 
^configuration below: 

Cisco ASA Version Prlfirio fl.T 


ASA-l(c°nfigl# access-list NO NAT extended permit ip 1924684,0 Z55,255.235.0 
192.16S.2.0 255.255,255,0 

^SA4(config]tt mat (inside) 0 access Hist NONAT f Exclude traffic from LAN 1 l« LAN2 from 
NAT operation 

ASA 2: 

ASA-2(conng)# access-list NONAT extended permit Ip 192468,2.0 255.255.255,0 
192.168.1,0 2 55.2 5 5.2 55,0 

ASA-2(conlig)fr nat (inside] 0 access-list NONAT 4- Exclude traffic from LANZ to LAN1 from 
MAT operation 

Cisco ASA Version &3 and later 

ASA! i 

A5A-l[conng}# object network obj-local 

ASA Ifconfig network-object]# subnet 192,16B.1.0 255.255.255,0 
ASA’ 1 (config-ne iwork- obj e ctj# exi t 

ASA-1 (eonfig)# object network obj-remote 

ASA-l(conAg-network-object]# subnet 192.168.2,0 255.255,255.0 

ASA-1 (cnnfLg- network- obj ect) # ex it 

ASa- 1 (config)# nat (inside.outslde) 1 source static obj-local obj-local destination static obj- 
reitiDtc oh]-remote 


ASA2: 

J ^A‘2(config)W object network obj-local 

A54-2(ton fig-net work-object)# subnet 192.168.2,0 255,255.255,0 
2(conng-network-object)# exit 

^■2[canfig)# object network obj-remote 
■ “2 (ccniig.network-ob j ect) # subnet 192.1684.0 255.255.255,0 
‘ 2 t c *nfig. net wo rk • ob j ect) W exit 

nat (lnside,outside] 1 source staticobj-loca! obj-local destination Static obj 
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„ m iff i flKFv 1 »rlSAKMU 
# CTPI> 2: CdP n n" rg — 


i S 1 hr ^ UIMI ii l ” * 

establish a secure communication channel for further dan 

Ptec , ° f the “ ™i™g* -**•-«■ n* «*—*«■* ■*•*» 

.kevl policy which MUST inalcli thepolicy 

Lfc^L 1 ,;- -her pee*}. Th, ikev, policy tel. S ,he rt»r p«M wfc, 

most ta used ln *. VPN (e.g encryption protocol hash +M*. «*—» method Diffle 

Heilman Group (DHJ,lifetime threshold for thetonne! etc). 

The command format oftheftevl policy is the following: 

ASAfcunfinl* crypto ikevl policy ■priority rrwrnt.ee" ^Lower number means higher priority 
ASAjconfig-ikevl'policy)# encryption [aes Iaes-l92{ties‘256f3desfdcx} 

ASA(confi£-ikevl policy)# liash {jho/ mdS] 

ASA(config-lkevl-pol icy) # autlnEiaticatUm {prs-share f rsa sig] 

ASAfconfig-iltevl policy)# group {1 12151 7} C-DH Group 
ASAfconfig-ikevj policy)# lifetime * seconds" <-Up to 36400 seconds 

ASA(coiifig)# crypto ikevl enable “fnter/a<:emH7i<?“ ^-Enable the policy on an interface 
ASA(cnnfig)# crypto isakmp identity address ^-Identify the ASA With its address and not 
FQDN 

MOTE : In ASA versions prior to 6.4, the command keyword “ikevl" was named as "Isakinp", 

Several ikevl policies can be Configured to match different requirements from different fP-SEc 
peers. The priority number uniquely identifies each policy. The lower the priority number, the 
higher the priority will be given to the specific policy. 


The following example parameters car be used to create a strong isakmp policy: 

* Encryption aes 

* Has!) sha 

* Authentication pre-share 

* Group 2 or 5 

* Lifetime 3600 [the Security Association -SA will expire and renegotiate every I hour) 
The next thing we need to specify is the pro-shared key and the type of the VI J N (Lan-tO‘Lan,er 
Remote Access), These are configured by the tunnel-group command. 














. s A(»nlls)# OmiwHroup ’peer IP address’ type ( tpseet2I I rematoaacss ) 

'.S.lfconfl*) * luoncl-jTOiip peer IP address' ipsecattrlbutc* 

. Ikcvl p re-shared-key "Jtey" 

N utCi tUfl rnl>s ' J ^ s C(: ' ™ "webvpit were depreca ted from ASA version 8,0(2). 
yhcf ; C {m i ore replaced by the new "remote access" type. 

I ^sscc the complete example con figuration for both firewalls for Phase 1 setup: 
avi„U 

ASA-1 (c«» n s)^ crypto ikevl policy 10 

^^.lfconfiE-ikevl-pulllcyJW an Ih cut lent ion pre-share4 Use pre-shared key forimth 
ASA-lfcondg-lkevl'policy)# encryption aes <r Use AES 12EJ bit entry ptinu 
ASA"1 (config'Ikevi-pollcy)# hash sha 4 Use SEIA for hashing 
ASA-Ucouflfi-ibevl'poHcyJ^ group 2 4 Diffie llellman Group 2 

1 (config-lkev 1-policy)# lifetime 3600 4- Lifetime of SA is 3600 seconds 
ASA r 1 (conflg-lhev 1 -poli cy) # ex it 

AsA-I(conng)# crypto ikevl enable outside 4 Enable the policy on "outside"' interface 
ASA-1 (eating.)# ciypto Isnkmp identity address 

ASA-l(cuung)# tunnel-group 200.200.200.1 type ipsec-121 4 Configure a mom I \\it li p 11 1! 
200-200.200.1 which will be of type Lan-to-l.au 
ASA4(confi;g)W tunnel-group 200.200.200.1 ipsec-attributes 

ASA-1 (conflg-tunnel-ipsecj# ikevl pre-shared-key somestrongkey 4 pi f shared key 


ASA 2: 


ASA-2 (con fig) W crypto ikevl policy 10 

ASA'2(config-lkevl-policy)# authentication p re-share €- Use pre-sisared key rarautn 

ASA-2 (con fig-ikevl-pul icy)# encryption aes 4 Use AES 120 hit encryption 

ASA-Z(ccmfig-ikevl-policy)# hash sha 4 Use SHA foi hashing 

ASA-2 (con fig-ike vl-pol icy)# group 2 4 Dlffie- Heilman Group 2 

ASA 2 (con fig ikevl policy)# lifetime 3600 4 Lifetime ofSA is 3600 seconds 

ASA-Zfcunflg-ikcvl-policy)# exit 

ASA-2(config)# crypto Ikevl enable outside 6- Enable the policy on "’outside" interface 

ASA-2 [t unfig) # crypto is a km p identity address 


ASA-2(conn S )# tunn«l- B roup 100.100.100.1 type lpsec-121 «- Configure a l«n«ct with prer 1 1* 
100.100.100.1 which will beoftypeLan-to-Lan 

ASA-2(cotifig)ff tunnel-group 100.100.100,1 Ipseoattributes 

ASA-2(con(Ig-tunnel-ipsec) if ikevl pre-shared-key wmestrongkey <- pre-slu,re<l key 
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* UTI 1 3: Omli^ire PfriM ? Z f iPSljLl 

After a secured tunnelIs established in Phase 1. the next step in setting up the VPN J. to «*** 
■he li'SEt security parameters that will be used to protect the data and messages within the tunnel. 
This Is achieved in Phase 2 of the IPSEc. In this Phase the following functions are performed: 

. Negotiation of IPSEc security parameters and I PSEc transform sets. 

* Establishment of IPSEc SAs. 

* Renegotiation of IPSEc SAs periodically to ensure security. 

The ultimate goal of IKE Phase 2 is to establish a secure IPSEc session between peers. Before that 
can happen, each pair of end points negotiates the level of security required (encryption and 
authentication algorithms for the session). Rather than negotiate each encryption and 
authentication protocol individually, the protocols are grouped into sets, called transform sets. 
IPSEc transform sets a re exchanged between peers and they must match, between peers In order for 
the session to be established. 

I be command format of configuring a transform set is the following: 

ASAfcon fig)# crypto Ip sec ikevl transforms Earner * transform 1" "transform^ 

I he following transforms (protocols/algorithms) can be used in place of transform! and 
transform!: 


Transform 

Description 

esp-des 

esp-3des 

_ESP transform usingDK5cipher fS6 hits) 

ES1 J transform using 3DES cipher (ififl h-ir^) 

esp-aes 

ESP transform usine AES- 12 fl ri r il;r- J 

CaJrflK" J 

vsin-aes-256 

ba_P transform using AES-192 cipher 

B7Cti hr— i if. . _ , - "J 1 -—- -- ■ 

esp-rod 5 di mac 

UiE transform using AES-256 cipher 

esp-sha-hmac 

~ transtor ^ using HMAC-MDS authentication - 1 

esp'nont 

Jar biudorm using HMA&SMA authentication _1 I 

— with no authentication 

_ es o-null 

ESf with null encrv[?iion 


T1 " F ' ,IWinB "»Bht be useful when c h W5 m e 


transform protocols: 



















































































* For providing tlatn ctmftdeiitiahiy (encryption), use an ESP encryption transform such as 
the firs* 5 in lire list above, 

m Also consider using an ESP authentication transform by choosing MD5-HMAC or SHA-HMAC 

algorithms. 

gHA i s stronger th an M l)S but it is s I n wer. 


Consider the following example combinations of transform sets' 

, ESP- DES for h l >c?rfci ™nce encryption but with no au th ent icati on. 

• ESP-3DES and ESP-MD5-HMAC for strong encryption and authentication, 

* £SP-AES-13 2 and IfSP-SHA- E i M AC for stronger encryption a nd au then tication. 


Atu , r configuring a transform set on both IPSEc peers, we reed to configure a crypto map which 
contains ail Phase 2 IPSEc parameters, this crypto map is then attached to the firewall interface 
(usibHF“ outside*) on which the IPSEc will be established. 

flie command format nf a crypto map is: 

ASAfcortfig)# crypto map "inline" "setf-nam" match address “Crypto-ACL" ^Assign the Crypto 
ACL which specifies the Interesting Traffic to be encrypted. 

ASA(oonfig)# crypto map "nortie" “seq-tium'' set peer “PeerJP.Qdtircss 1 ' ^-Specify the remote 
peer IP address 

ASA(config)# crypto map "nfl/ne' 1 "je^-nuia" set ikevl transform-set ‘ Transform_set_natne 
^■Thls is the transform set name configured above 

ASA[config)# crypto map "name" “seq-niim" set security-association lifetime seconds 
(Seconds} ^Specify how often the 5A will expire and get renegotiated. 

ASA(ctmflg)# crypto map "name" interface M interfaee~name" 4-Attach the map to an interface 

Theaiq-niirti parameter in the crypto map is used to specify multiple map entries (with the same 
name) for cases where we have more than one IPSEc peer for the firewall (eg three ASA firewalls in 
ahub-and-spcike configuration). If the above firewall is a Hub firewall in a Hub-and-Spoke VPN 
ffiifigu rati on with 2 spokes, then there will be two crypto map entries with same "name' but 
different “sequence numbers". 
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. nfi-Tiimrion for both firewalls for Phase 2 setup 
^ seethe complete example configuration lor 

ASAll 


ASA-lfconfig)# 
ASA-I(eonflg)# 
AS A-1 [con fig)# 
ASA-1 {con fig}# 
ASA-l(config)# 
ASA-ljconfig)# 

ASA 2; 


ASA-iCconfig)# crypto ipscc ikevl transform-set ASA 2 I S esp-nes-192 esp-sha-hmac 

ASA-2 [con. fig)# crypto map ASA2VPN 10 match address JLANZ-to-LANl 

ASA-2[confifi)# crypto map ASA2VPN10 set peer 100 J 00.100.1 

A5A-2(config)# crypto map ASA2VPN 10 setiktwl transform -set A5A2TS 

ASA-2 (cotifig)W crypto map ASA2VPN 10 set secitrity-assoriatfon lifetime seconds 3600 

ASA-2 (con fig)# crypto map ASA2VPN interface outside 

* 5TEP 4: Verify Encrypted Data Transfer 

With the three steps above we concluded the configuration of a site-to-site IPSEc VPN, An essential 
step though is to verify that everything is working fine and that our data is actually getting 
encrypted by the firewalls. There arc two important commands that will help you verify if the 
immcl is established and if data is bi-directionally encrypted between the IPSEc peers. 

Verify that tunnel is csiabltshed 

The show crypto Isakmp sa command verifies that the Security Association fSA) is established 
which means that the tunnel is upend running. Let's see an example output of this command below: 

ASA- f # show crypto isakmp 5a 

IKEvl SAs: " --■ 

Active SA: 1 

ToXf^T “" ,l ' Cl ' Vi “ rCpOIt 1 Ac,ive ™« 1 fc-key SA during re key, 

1 IKE Pten 200.2 00.2 00.1 

I*? tf :LiL Role ; Initiator 

Kekey !no State :MM_ACTIVE 

Thertyar<> no lKEv2 $As 


crypto ipsec Ikevl transform set ASA1TS csp-ao S; f« esp-sha-hmac 

crypto map ASA1VPN 10 match address LANt-to-LAN2 

crypto map ASA1VPN 10 set peer200.200.2001 

crypto mapASAlVPN IDset ikeul transform-set ASA1 IS 

crypto mnp ASAl VPN 10 set security-association lifetime seconds 3600 

cripto map ASA 1 VPN interface outside 
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Llvr hni"» l«ltf [ii insert* \im\s tlio State: MM_ACTIVE. This verifies that the IPSEc tunnel 
| S r ^ ; ili|lsW &mressfully» 

VeiIEY il 1 4k ^ -- A 1 5 PI dlmnloiiaUvciim-ni cd 

■p| n i iIkhv cryplu IpscCsa txiiumatid verLHcs that data is being encrypted and decrypted 
wnres^Fdtly by l he firewall appliance, as shown below: 


,ViiV.Jtf sliowtPyi'toliisMan 


Intel foie: out side 

lyplo ptaplng: ASALVPN.seti uumi: 10. local addr; 100.1Q0.100.1 

h^-psr.- list IAN l*to4JVM2 permit ip 19216B.1.0 255,255.255.0 192 .l 6 B.Z 0 255.255*255.0 
Imal UlelU laddr/lifask/prtjt/ptirt): {l c )2,L£iB,L0/2S 5.2 55.2 55-0/0/0] 
i-rimAd Ideitt laddr/iuasik/prot/port): [192.168 2 0/2 SSJ255.255.0/O/Q) 

Liiritu t 2 OO, 200.20D. 1 

ifpUs eneaps: 2050, ft plus encrypt: 2050, ftpkts digest: 2050 
if phis Jciaps: 2 108, ftpkls decrypt:: 2100, ftpkts verify: 2108 
ttpkts wmpressedt 0, flpkts decompressed: 0 

Splits nut compressed! 2050, ttpkts comp failed: 0, Wpkts decamp raised: 0 
Nure-hag successes: 0, ft pre~fi ag failures: 0, ft fragments created: 0 
NMATlfc sent; D, flTMTUs rcvd: 0. ftdecapsufoted frgs needing reassembly: 0 
If send en ors: 0, Wrecv errors: 0 

I local crypto endpk: 100.100,100.1, remote crypto <mdpt.: 200=200,200.1 

**"Output 0 ml tied -** _____ 


11* W ,tp„t (told lf ( ,M S eticcyptilOSO and * |>kts <lecrypt : 210B show indeed that we havo 
cuuryptfon of da fa bi-directionally. 


6.42.1 Restricting VPN Traffic between theTwoSites 

h> default, a slte-to-slte IPSECVPN provides foil network connectivity between the two LANs. This 
>w.w that hosts In LAN! tan access all hosts in LAN2 and vice-versa. However, this might not be 
UnlrsljIaUsmi* situations. There are cases whore we want hosts from one site to access only 
'PMltk hosts Of thu other site and not the whole network. 






















LAM-1 


LAN.2 



ASA-2 


Inside 


rnwla 

GW1 


235-,2*D.2D0 1 


192,168.1 .MW 


ipsec 

glH-to-5He 

VFN 


193.16B.3.W2* 


Site-to-Sil* VPN 


In this section! will shew yoci how to restrict IPSEC VPN traffic so that LAN-2 tan access only two 
hosts on LAN-1 and not the whole network. 

The key here is to disable the default command *sysopt connection pcrniit-vpn". This command is 
enabled by default on Cisco ASA and its purpose is to exempt all tPSLC VPN traffic from Access List 
check on the outside ASA interface. This means that when the above command is enabled, all IPSEC 
VPN traffic is allowed to pass between the two sites without restricting anything. If we disable the 
command above, then we must explicitly allow the EPSEC traffic from the peer site ori the outside 
Access ■Contra] List of the ASA, Hence, we can apply fine-grained, control of the IPSEC traffic 
between the two sites. 


Note that IPSEC uses three protocols; ESP. AH and IKE pnr| UDP 500 (isakmp). Therefore we must 
allow those protocols on the ouLside Access List to reach the firewall interface. After that, we need 
also to explicitly allow which private hosts on LAN-1 car be accessed from LAN-2. 

Lets see how to restrict IPSEC VPN traffic so that LAN-2 can access only two hosts (192.16S.U0 
and 192,168.1,2] on LAN-1. This configuration will be performed on ASA-1 
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ASA ■ t 


]First disable the IPS EC traffic exemption from Access 
explicitly spccilV whicli VPN traffic is allowed to pass, 

ASA’i(config)ttno sysopt connection permit vpn 


List checks. This means that we must 


(flow let 5 explicitly allow IP SEC traffic from LAN-2 to LAN-1, We need first to allow the three 
I PS EC Protocols from ASA-2 to ASA-1 

ASA-1 [coiifig)#access list outside.in extended permit esp host 200.200.200.1 host 

100,100.100.1 

ASA-l(conf]g)Waccess-list outside,in extended permit ah host 200.200.200,1 host 
100 . 100.100 1 

ASA - i (config)tfaccess-list outsidejn extended permit udp host 2Q0.2Q0.20D.1 host 
100 . 100 . 100.1 eq isakmp 


INow allow access from LAN-2 to two hosts on LAN-1 only 

AS A-1 (confl g) H access-1 i s t outsidejn extended permit ip 192.168 2.0 255-255.255.0 host 
192,1691.10 

ASA-1 {contig)#access-Jist outsidejn extended permit ip 192.16B 2.0 2S5.255.255.0 host 
192.168.1.2 


fApply the ACL to outside interface, 

ASA-1 [config)#access-group outsidejn in interface outside 


If you need to restrict traffic from LAN-1 to LAN-2, you must configure ASA-2 similar to the above 
scenario. 


6.4,3 Configuring Hub-and-Spoke IKEvl IPSec VPN 

AHub-and-Spoke VPN topology Is considered an extension ofSite-to-Site VPN because we basically 
have two or more Site-to-Site VPN links between a Central Hub site and two or more remote branch 
sites [Spokes). Here we will see the configuration required on the Hob ASA device only because the 
Configuration on the Spoke ASA firewalls is the same asSite-to-Site VE 5 N we have seen above. 
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Hub anti Spoka 
IPSEC VPN 


LAN-2 

1 *1.160,1.0^4 

ASA-3 
Spck# 

0ufr(*t f - Ten*** 

2W.ltnO.l05.l h -- 1 liLl 



U 

192,168.1.0124 


192,m3.Q£4 
LAN 4 


Let's now see bow to setup the Hub Site firewall (ASA-J)sothstta establish iseoire VP Ms hetwmi 
LAN-l and LAN-2/LAN-3. Only the configuration tliiit is different from the classical sitiMo-siteYIN 

is shown below. 


ASA I (Him): 


• STEF 1: Configure Interesting Traffic and NAT Exemption 

!First identify the interesting traffic fo be encrypted. HV rcctvt to hove two Ails, on?/to 

each Spake site. 

A5A-l(co:nflg)# access-list VPN-AC LI extended permit ip 192.168.1.(} 255.25S.255.0 
192.168,2.0 255,255.255.0 

ASA-1 fconflg)# access-list VPN-ACL2 extended permit Ip 192,168.1,0 25S.255.25S 0 
192 168.3,0 255,255,255.0 

/Then exclude the VPN interesting traffic from the NAT operation 

ASA-l(coufig)# object network ob|-local 

ASA-Ifcon fig-network-object)# sub not 192.160.1.0255,255,255.0 ^ Local LAN 
ASA-1 (con fig-rtetwo rk- o bj ect) # ox It 


90 



























ASA'l(ctjnfig)# object network obj-remolel 

A 5 ^ 4 (cDrfig-network object)# subnet 192/168.2.0 255.25S.25S.0 4- Spoke U\K2 
ASA . 1 (co n g'n e lwo rk o bj e cl) it exi I 
iV 5 ^ 4 (config)W object network obj-rernoteZ 

ASA-lfconfig-nctwork-obiert)# subnet 192.168.3*0 255.255.255.0 4- Spoke LAN3 
ASA' 1 (CO f fig' n e 1 w0 rk-obj ect)# exit 

ASA T l( con f*&} w object network internaMan 4- This object will be used for PAT 
ASA.1 [conifig-net work-abject]# subnet 102.168.1.0 255.255.255.0 
ASA-3 (ennfig-network-objectJ ft exit 


ASA l[con fi E) rt nat (inside,outside) 1 source static obj-local ofoj-local destination static obj' 
re motel obj-remotel 4- Exclude traffic from LA.N1 to IAN 2 from NAT operation 

ASA-1 [config)# nat [inside,outside) 2 source static obj-local obj-local destination static obj- 

remote2 obj remote2 4- Exclude traffic, from LAN! to LAN 3 from NAT operation 

ASA-l(config)# object network internal-lari 

ASA-1 [config network-object)# nat [inside,outside) dynamic interface <r Configure Port 
Address Translation [PAT) using the outside ASA interface. This will perform dynamic NAT 
on internal LAN hosts so that they can access the Internet* 


. STI V 2: Configure Phase 1 flSAKMP - ikevll 
^Configure Phase! isaktnp parameters 

ASA-1( con fig] ft crypto ikevl policy 10 

ASA’1[ con fig-Ikevl-policy)# authentication pre-share 

ASA■] [configdkev Impolicy)ft encryption 3des 

ASA-l(config-ikevl-policy)# hash sha 

ASA-1 (confjg-ikevl-policy)# group 2 

ASA r l[conflg-ikevl-policy)# lifetime 86400 

ASA-1 (config-ike v 1-policy)# exit 

A5A’i(configJW crypto ikevl enable outside 

ASA-1 (conflg)# crypto isakmp identity address 

! ton figure static tunnel-groups with the Spoke Sites ASA-2 and ASA -J 

ASA4(c Q nfig ](t tunnel-group 200.200.200.1 type ipsec-121 4- Tunnel with ASA-2 
ASA-Uconfig)# iun ne |-g rQ ijp 200.200.200.1 Ipsec-attributes 

^i t(config.tunne|-[psec)# ikevl pre-shared-keyserrerkeyl 4- pre-shared key with static 
'Jk»kfrASA-Z 
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tlpsr c^^ r ' l " MlVi>l '' MMr3 

a iffi isD-lSO.t 2 *. , ir « shared key vw.h Slai , 

«*.«>* «^|*3 1 

«*.i(«.nn < )» # ik^> P re5W 

ASA-1 (con flg-turtnel 13 

spoke AS A-3 

? f fpSEfl 

. c TC p * cnnii ayxsXtu^-^ (< Wl , wrfw ianK ° wt ° J ‘ nnw »' 

;A- c » tolfco™ “* ^ h ' tdes t-s,) ■ ii i<J5 -hiii ae 

etm have two entries repr&w j TR s£Tesp^ s 1 

iitevl n , a I,s *' fffl "’' 

ASA-i(cqnrf]rf crypto 'l 3i4f 

h two entries {1° 0fli * 20} L 1 

/fwte the main rwto nw J* 'J p J 0 ni.itch ad d 2 0 0 1 <-Static IP Spoke ASA-2 

AM*l(eonflg)# ^ryplo map 0 st . t pee. T ft S ET 

ASA^lfconfle)crypto map WHMAP J ||iev i 

ASA-Ucann^awMm^VWMAP iliVPN ^U 

upmmaP 20 match n ,c 0 if siadcIP Spoke ASA-3 

W ;S ^ 20 *t^ 150.150450-1 ^ 

ASA-Hconlls)* crypto map VPJJW t ike yi transform ^ 

ASA-i[conftg)# crypto map VTN«* 1 

attach the main crypto mop outside 

ASA-lfconfigjW crypto map VPMMAP mie 

a^eih^-m-SiteVPM we have seen eariser. 

The rest of the configu radon is the same as the 


6.5 Site-to-Site VPN using !KEv2 IPSEC 

The new 1PSHC k^ma*. M ^ updn.ed varsi™ of IKHv2 [RFC 5W6 publish'd In Sept 
20101 aad is now folly supported hy ASA firewalls. Cisco to <|u«y adopted this new standard for 
several reasons. One of the reasons for implementing IKFv2 is that many customers including 
existing Cisco VPN Client customers and bag customers of Cisco required continuation of support 
for remote-access and site-tc-site VPNs with LPaec. Also, there is a mandate from security 
compliance bodies to add support for the next generation Internet Key Exchange protocol, !KEvZ r (o 
security products to mee* higher levels of security requirements. 
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provide MHW> Inipnwviiwnis to the protocol compared to iki-vI; 


f 

* 


t 

■« 

t 


phoLurls style cookie nmkuilsin: Prevents DoS attacks from (breed 
Less round trips (down to 2 from 5 for very kisic exchange) 

GR'd transforms (reducing emnploxUy and packet size) 

Built-In Pead-PtTr-Detection (I)PD) mechanism. 

Builtdn configuration payload and user authentication mode fKAPl 

t] id d irect ii trial an t liontlcnt Ion inoiliq d s 

Unlit-In NAT traversal 

Better re-key Inland collision handling 


source addresses. 


in this sett Lon we will discuss some tliooiy and configuration ofsite-to-slte EPSKC VPNs using the 
!KEv 2 standard, 


G.S.I lKEv2 SitcMo-Sitc VPN Overview 

the lKtv2 functionality forsite-to-sitc is designed in-line with the existing iKEvl implementation 
and it atilkes the existing configuration where appropriate and augments with !KEv2 specific 
ctmflguration as necessary to allow 1 Independent control of each protocol. It provides you the same 
functionality that we discussed in SITE-TO-S1TE IPSEC VPN fusing LKEvl) but with few differences. 


Specifically, IKE v2 adds the folio wing features for slte-to-sUc Vl 3 N: 

■ Puli IKEv2 IPv6 support for site-tii-sitc ONLY 

* Ability to conlignre both IKEvl and IKEv Z con/iguratioiis in para!tel ancl on t h e same crypto 
map, 

* For the initiator, it allows fallback from IKEvZ to IKEvl if a protocol or configuration issue 
exists with )KEv2 that causes the connection attempt to fail and both protocols are 
configured for the crypto map. This should make a migration easier. 

• General feature parity with IKEvl for things like the following: (besides the things listed En 
the *1 KEv 2 SlbHto-Slte does not support - ) 

q Tunnel-group mapping based on: OU, certificate map rules, ike-id r peer-ip via the 
tunnel-group-map CLk 
o Dynamic L2L. 

o Access-control via v p n-fil ter settitig i n the gt ou [3 ■ pol i cy 
o Peer-id chuck 

o Delete tunnels on reboot and delete tunnels on crypto map changes etc. 

Ih mtet different* hm w . T ^ ™‘ l IKhvZ for SUc-tO-SUc VPN 

• !KC V 2 allows for asymmetric authentication methods to be configured fe.g pro-shared-key 
authentication for the originator hut certificate authentication tor the responder) using 
separate local and remote-an tlient I cation CLH 
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shared-key or ccrtlficate/rsa-sig) in 
, for a responder is 

n „e the »« ,h * he authew^* 4 ^. v \.\dch makes the lKEv2 pol, cln 

IKEv2 does not negi tl thereto^- g takes l' 1 -' x US ed with any tunnel- 

the IKE polices as lkF J ^ nncHsW .up *» J^/universal 

sroup - .KEvZwillstiUsnowf^P^uowi^^* 6 * 

° ^Stowed t.vm ^.rSSTnoSvl* k1o , which takes the tnistpomt config Ured 


Will still .now for auovvms «<* 

IKEv2 maintains the and grabs the pre-shared-key 


!KEv2 Site- » »-^i«e does not siippg ll ^ ^ 

. Multiple peers or backup p««J ^TP is«‘ l supP ° rU d 

• Transport mode which is or . 

Some Artvantnpes of lKE v2j ^ when compared to IKEvl. 

• 1KEv 2 policies are agnostic to au nog HP 

authentication mechanism in a P°'^ Dead Peer Detection check. DoS (IP 

. Standardized essential features: NAT dt tect 

spoofing) protection. acUn0 wledged. This should address some 

• Informational messages have . 

synchronization issues we saw with yourself with pre-shared-key and 

• Asymmetric authentication. ‘ j 

authenticate peer with certificates for example 


Some Disadvantages of !KEv2: 

. s,»« H* a ™.«.ectaoloiy. <"•*- « *“ >”*» 

I *>«<»" 

distribution, posture checks. 


Migration from IKEvl to IKEv.2 


If you configure both IKEvl and IKEv2 in parallel on the same device (as we will see in the next 
configuration scenario), the ASA supports fallback to IKEvl if the lKEv2 tunnel is not established 
for any reason with the other site. This will make migration easier. 


Also, you can use a single command ('migrate L2L") on the ASA to migrate an existing ASA 
configuration running IKEvl VPN to !KEv2 VPN (for ASA 8.4 and later versions). 
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J ASA US<!S U EVl WUIf <®* to ““tonaatlcjilly add. the new lines of 

6-5.2 IKEv2 Site-to-Site VPN Configur^ticin 

In ihls sct^ariOr wc will, describe bow I Kiwi: will be used to establish a VPN tunnel between ASA-1 
and ASA-2 and tills will help PC 192,160,104 to talk to a remote Heat 192.16641-1 To make the 
scenario mure interesting and Ufthil, wd wj]| actually have both IKEvl and J K Jiv2 conrtgurtd .on the 
ASA devices. We will use the diagram below for our scenario: 


LAN-1 LAN-2 



A Summary of the steps required is shown on the 11st below; 

1. Confl gore the ASA's ; 

■ We assume that Inte rfacc addresses and routing is co n figured alrea tly. 

* Configure Interesting Traffic to be cncrypted- 

* Configure I KEv2 policies and IPSEC proposals 

* Configure 3 KEvl policies a n d tr? nsfo rm -sets 

* Configure Crypto map with both IKEvl and IKEvZ [Pscd policies 
4 Allow IKEv2 a s a vpn-tunnel-protocci] in die group-policy 

* SPsee L2L tunnel-group with pre-shared-keys configured [both IKEvl and 
!KEv2) under IpseC-attribsltt* Configure (hem to be different in each 
direction for IKEv2 to illustrate a symmetric authentication behavior, 

* En able both 1K Evl and IK Ev2 on the tmtsid e interfaces 

2. Configure the workstations. 

3. Send tra fEc a cross and bri ng the tu nnel u p. 



















only specific hosts- I" only irs 


thro^h the VPN tunnel, 


Ah A li 

ASA’l(config]# access I 
192.168.11,1 


]|jtUNl-te-LAN2 extended permit Ip host 192.168.10.1 host 


ASA-2 (configjtfaccess- 


]ist LAN2-IQ t LAN t extended permit Ip host 192.160,11,1 host 


192.168.10,1 

NAT Exclusion for VPN Traffic 

IF you are using NAT on the firewall (which is very common), you must exclude the VPN interesting 
traffic above from the NAT operation, 

AS A It 

asa- i [nmfi g] # ob j ect rtetwo rk oh}*! oca I 
ASA-1 (config-Tietwork-object)# host 192.169.10.1 
A5A-1 (eonfig-network-object)# exit 

A5A-l(ctmfjg)# object network obj-remote 
ASA- lfconfig-network-object]# host 192 . 168 , 11,1 
ASA- Ifccnfig-network-object)^ exit 

ASA-1 [config)# nat (inside,outside] 1 source static obj-local objlocal destination staticnty 
remote obj-rrrnote 


ASA-2 (con fig)# object network obj-locn! 

ASA-2 (config-netw ork-object]# host 192.168.11.1 
ASA-2(ronfig network-object]# exit 

ASA‘2(etjnf5g]tf object network ob]-remote 
ASA-2 (con fig-network-object)# host 192.160. lp.l 
ASA- 2(co rtfig -netw ork-object] # ex it 


[insidei0 “ , * ide ) 1 Staticcbt-local obl-localdestinationrt**« W ' 


remote ebj -remote 
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* SttMiZr Con figure IK Kv2 Policy fsimilar to Phase 1 in fKEvl) 

Like thtf oldtr iKkvl model. We reetl to configure an IK Evil policy which is similar to the Phase 1 
stage we have described in JKl-vi sitc-to-site VPN scenario, in this policy, we car Have multiple 
encryption and integrity protocols under the same policy. This is because IKEvZ sends across a 
single proposal containing multiple ciphers, compared to IKEvl in which multiple policies must be 
configured if we have multiple encryption and integrity proposals. 


^S^-l(cnnfig)# crypto ikev2 policy 1 

ASA-l(config-ikev2- policy)tt encryption acs 3des <- Notice we have 2 ciphers 

ASA't(config-ikev2-policy]# Integrity sha nidE 4r Notice we have 2 integrity algorithms 

ASA-1 (config-ike v2 -policy|ft group 2 <r Diffie-JHeliman group 

ASA-l[oonfig-ikev2-policy)# prfsha <- Pseudo Random function Algorithm 

ASA-1 (config-Utev2‘poll<y)# lifetime seconds 116400 

ASA ■ 1 [config-ikev2 - policy) # exit 

AS A 2: 

A5A'2(config)# crypto ikevZ policy I 

ASA-2(config‘ikev2- policy)# encryption a os 3d OS Notice we have 2 ciphers 

ASA-2 [config-ikev2-policy}# integrity sha md£ ^ Notice we have 2 integrity algorithms 

ASA-2 [con Hg'ike v2-policy)# group 2 (- Diffie-Heilman group 

ASA-ZtconfigdkevZ-policy)# prfsha Pseudo Random Function Algorithm 

ASA-2(config-ikev2-policy)# lifetime seconds 86400 

ASA'2 (config-ikevZ-p ol icy) # exi t 

Note; 

PRF is the Pseudo Random Function algorithm which is same as the integrity algorithm, It is not 
mandatory. You must configure at least ore encryption algorithm, one integrity algorithm, and one 
DH group for the proposal to be considered complete. 


• Sten3- Configure IKEvZ IPSEC Proposal [similar to transform-set in IKEvl) 

This is similar to the Phase2 stage we had in IKEvl. case where we have configured a transform 
si*\The'lpsec proposar in ]KEv2 is the same as the "transform-set 'we had in IKEvl. 

The IPSEc security parameters in this step will be used to protect the data and messages within the 
tunnel. 

ASA 1; 

ASA-l(config]# crypto ipsec ikev2 ip sec-proposal 1 KEv2-AES-SHA 
ASA- l(config-ipseC' proposal)# protocol esp encryption aes 
ASA-l(ctmfig'ipsec-proposal)# protocol esp integrity sha-1 
AS A-lfcoafig-ipsec- prop osal) # ex it 
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ASA- 2 (coofigopset-I>roposn ] 

. „,nn E u, e 

, jn h _ th tKFvl and tKE v2 co nfifiured- If IKEv2 VPN is not 
o *.«--»*-*■ ,hcy can reveribackto ikevi 

-* T -” foim Se,s (as we haw seen in previous sec,iDn fcr * e 

IKEvl site-to-site VPN) 

ASA 1: 

iConfigvre thefhasel Policy 

SIS^Xb# Snuation pre-share<- Use prc-shared key forauth 

ASA 1 (config-ikevi policy)# encryption aes <r Use ALS enci yptian 

ASA- l(config-ikevl-policy)# hash sha Use SHA for hashing 

ASA-1 (coeifig-ikev 1 policy)# group 2 f Diffie-Hellinan Group 2 

ASA-1 (co n fig-1 ke v 1- pol icy) # lifetime 86400 4- Lifetime of SA ]S 3600 seconds 

ASA-1 (con fig- i kev 1 -po I icy] # exit 

ASA-1 (con fig)# crypto isaknip identity address 

’Configure the PkaseZ Transform Set 

ASA 1 (con fig)# crypto ip sec ikevi transform-set IKEvI-AESSUA esp-aes esp-sha-hmac 


ASA2r 

’Configure the PhaseJ Policy 

ASA-2(config)# crypto ikevi policy 10 

ASA-2 (con fig-ikevi-po I icy)# authentication p re-share 4 Use pre-shared key fbrauth 

ASA-2(cniifig'ikevl-policy)# encryption aes 4- Use AES encryption 

ASA-2(Config-ikevl-policy)# hash sha <- UseSHA for hashing 

ASA-2 [config-ikevi -policy)# group 2 4* Diffie-Hellman Group 2 

ASA-2 (con fig- ikevi -policy)# lifetime 86400 4- Lifetime ofSA is 3600 seconds 

ASA- 2 (con fig- i ke vl -policy)# exit 

ASA-2 (config)# crypto isaknip identity address 

(Configure the Phase? Transform Set 

ASA-2(config)# crypto ipsec ikevi transform -sc l IKEvl-AES-SHA esp-aes esp-sha-hmac 
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Of o5: Configure.*.Group Policy to allow hoth lKi-vi and fKEv2 


# 


group-policy GroupPolicyi internal 

Sv-lCconfifiF group-policy CroupPollcyt attributes 

j^A Uconfig-group-palicy)# vpn-lunn el- protocol ikev2 ikevl ^ allow both ]KEv2 IKhM 
a VaI tconfiggrcmp-poUcy)# exit 


ASA£ 

^■Ztconfig] # groups policy GroupPolicyi internal 
group policy GroupPolicyi attributes 

4SA-2(cc |n ^= _ & riOU P - P cl ^ c y^ vpti-tunnel-protocol ikev2 ikevl 4" allow both lKEv2 IKEvl 
A5A-Z [conltg-group-p o! icy) l# exit 

• Stfrp6t Configure Crypto Maps with both IKEvl and LKEv2 IPSBE Profiles 


The crypto map combines the previously -created encryption algorithms* the remote peer, ant! the 
rtiase Z policy into a single crypto map, Notice that we have both IKtvl and IK.Ev 2 ti ] £EG profiles 
attached on the same crypto map. 

ASA 

ASA Hconfig)# crypto map outside.map 1 match address KAMI to-LAN2 
ASA-l{cOnflg]# crypto map outside.map 1 set peer 200.200,200.1 
ASA-l[config)# crypto map outside.map 1 set ikevl transfc mi-set IKEvl-AFS-SHA 
A5A-l(eonfigj# crypto- map cuitside.map 1 set ikevZ ip sec-propose I !KEv2-AES-5HA 
ASA-1 [con fig]# crypto map outside.map interface outside 

ASA 1\ 

ASA-2[config)# crypto map outside.map 1 match address LAN2-to-LANl 

ASA-2[conflelW crypto map outside.map 1 set peer 100,100.100.1 

ASA-2 [coufip)# crypt® map outside.map 1 set ikevl transform-set LKEvl-AES-SHA 

A$A-2fconfig]# crypto map outside.map 1 set ikev2 Epseopraposal IKEvZ AES SHA 

-ASA-2[config)W crypto map outside.map interface outside 
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with 


hoth 


1F!iEC Fr<,fil * S 


, „ ]K pvl.theP*®* 1 ” 1 *'',!'! 5 '(orotber 

M this P l > lnl ' we Wl]1 C ”? ciertiscd h tre ‘ 11 oV V ■ lrt 

auitienti cation in« hot ) ]S te authentic^ 11 
methods for both local afld rem 

, ” 1 "’ ,,m 

ASA l(ctjn(lg lu«ncL-ge» 200.200-20°'* ip se f | S col23 

ASA-1 {config) Jf tunne' &ro j 1 pre sKareri n e shared-key cisco 1 

ASA lfconfig tmane - pset j remote-authentica ^ h ^. cc |-key ci$eol234 

ASAi(config-tunneHp«** 25 ^M^epdcation P* 

ASA 1 (con flig-tunn el-iP^JJ ^ 

ASA-1 [cor fig-tonnel-ipsec]# cx 


Stti 


PS 


ASA Z; 

ASA-2 (conflg)# 1 !!!!'l S q'Joo'J general-attributes 

ASA-2(config)tf »»*W ^^Lk, C ro up Policyl<r Group Policy from Steps 
ASA-2 (co n fig- tu r no l-gcn eral] tt default % 

ASA-2(confIe-tuiine]-gen & r a l)^xlt ^^.attrlbiitts 

ssss^sssss:-^--*»--> 

ASA-2(corfig-tunneNpsecj# exit 


NOTE: 

Please note that the pre-sharedkeys are used to authenticate the remote peer in order to build a 
trust relationship if you compare the con figuration on ASA1 and ASA2, you will see that the pre- 
shared-key denned for remote-authentication on ASA1 is matching the pre-shared-key defined 
for local authentication on ASA2 and vice versa. This illustrates the asymmetrical authentication 
allowed or IKEv2- 
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r 


SlrplV Tn-iMr both [KTvI acrri 


jjn outside interface 


^4-UrtJTittfll# aypto ikev2 enable outside 
^ijyxtriflg)# er> pta ikevi enable outside 


4S\2r 

cn Pto ikevZ enable outside 
^v;(confi&)# crypto Ikevi enable outside 

« StviV^ Verification 


4$A i# show cnpt£5 isakmp sa 


7t(Tt crena {KEvl SAs 

StstiOfriAL StotmUPrAOlVK IKE count:!, CHILD count: 1 

Tiwitcf+i Remote Status Hole 

9&&75il lOOAOlUOOJ/SDO 200.200.200A/500 READY INITIATOR 
Encr AES-CEC. i'eysfee; 128, Hash: SHA96. DH Grp:2, Auth sign: PSK, Auth verify: PSK 
Lift Active Time: 86400/5$ sec 
Child so: heal selector 192.16810.1/0 - 192,168,10.1/65535 
remote selector 192.163.11. I/O - J 92.163.11.1/65S35 
ESP spi in/out Oxl 9e5 7b 7b/OxSS20aG43 


As ydu have seen above, the ASA firewall has established an ]KEv2 Security Association (SA) with 
the remote peer. If you have both IKEvl and EKEv2 on the same device, then IKEv2 is preferred. 


ASA-1# show crypto ip sec sa 


ir.tetfiict: outside 

Crypto map tog: outside.mctp, seq num: 1, local addr: 100,100.100.1 

scce^iistlANl ■ t&-lAN2 extended permit Ip host 1 92-168.10.1 host J 92.168.11.1 
(output omitted]..^ 

tipktsmasps: 7 t ~pkts encrypt 7 4 #pkts digests 7 
decays 7 t &pkls decrypt: 7 t #pkts verify: 7 
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„ ss jpSec VPN* 

6 6 Remote A cc 

6.6*1 Re]H° tC c in this chapter as Remote Ac^ 

. MIPS& ^ lt,3t>Vl11 ^rhe remote user. This type or V PN aSl 
The second t>r ' V " 1 VPN client I**® 116 ° yre [FSEc VPN tunnel with lh 

remote user / ki fl, e user nros* have l1 ' . , h< , ASA firewall in the central qflfc* 

enable a the ASA fire™". •* U “ r * assi »«, 

llvPM^b^dbe^-"' ^^a^nntbeCorpn^LAN^ 
prt^.P^^apred.fl-e-P-t^ 

.. f jts legacy <*» ,PSec VI>N Clie "' '**' 

NOTH: Cisco bar annoyed tbe End^ ^ wmy dto.tr v»hich provides secure SSL,nd 

replaced by the "Cisco Anyconnect Secure o disC uss configuration of Anycoiu,^ 

i *ca for remote users- 

[PSec/lKEv2 connections to the ] P Sec vPN client as not suppo rted 

■ t-. hjinV Although the Jeg^ty 

in the neat Chapter Later in ih^ W™- ■ ^ wid ely used in networks today, 

aaym.re.ltsv^abla.olnrMai.m.hisbo^bPraus, 
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0 „ r axantp* Sb 7 * —I ASA f.re,,„ p^ the ^ 

and a us<?r a software VPN client establishing a secure .... ,. . ' 

>. ,»i«itomnm ,, g a seen re connection with the ASA. An IP 

^ IMhen-.ee 19d.16B.200/24 will be signed WtevPN**,^^, beallolraJ , 0 

c*-"^ 0 *" with the Interrja] Corporate network m .n SX<J/2t , 0nce the Rcino , e „„ , 

taM** 1 ** rtmD,<i 1 “ erbydefaul,w ' | l ■"»*a blew access anythmg else on rhelnterne, 
e**P“»' Corporate LAN network. This behavior can be altered by configuring the "split 
tunneling- feature on the Firewall. which however is not recommended for security purposes. 


dent we will discuss the configuration requiredboth on the ASA Firewall and the Cisco Software 
djent to build a remote access connection. 


6.6.2 Configuring Remote Access IPSec VPN 



A ’m of ootifigcij-ation statements are the seme as the site-Eo^ite IKEvi VPN, especially for IKE 
Prta.se 1 and Phase 2 stages. Also, an IP address pool must be configured cm the firewall for 
dynamically assigning addresses to the remote users. Lei's get started with the configuration: 
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* ^TFF 1: CpnE fl"™ arc IF address Pool 
Thif command format is the following: 


Example: 

ASA-l(config)# Ip local pool VPNPOOL l<)2.UB,20.1-l<}2.16B.2<>.2S'i 

Also, wo need to specify to His firewall that the IP address assignment for the remote users wi ll h c 
facilitated from a Local address pool 


ASA-lfconfis)# vpn-addr-assign focal 
Cor figure Split Tunneling (OPTIONAL ) 

Once the Remote Access VPM is established, the remote user by default will not be able t q access 
anything else on the Internet, except the Corporate LAN network. This behavior can be altered by 
configuring the "split tunneling" feature on the Firewall, which however is not recommended for 
security purposes, However, If you want to allow users to access the Internet and aLso access the 
Corporate LAM network, you must configure a Split-Tunnel Access Control List 

ASA*l [config)# access-list splittunnel standard permit 192,168.1.0 255.255,255.0 

Traffic from the remote users towards the network specified in the split-tunnel ACL 

(192.16B.1.0/24) will pass through the VPN tunnel. All other traffic from the remote user will jet# 
ihe Internet. 

STH 1 2: XA I I.xcni|HLon (Encrypted T raffic should | lfi atrTiided from NAT] 

Simtlar,y ^ •m***"*—* to identify with a n ACL the traffic flow from oor.ntereil 

LAN network C**.1«U/M» tower* the Remote Users [1K.1AS, 20.0/2+) ir order to he 
excluded from MAT, 
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I jMiupin 

Cl sni A S A V<-r.Nb>n I’iIdi 1 to n.a 

ASA- IkwiHjsl'J iicti-sallst NON AT extended permit Ip 192.168,1.0 255.255.255,0 
i ipl, ({, ti/i 0,0 1 .2 5 5 ,2 5 f!S.u 

ASA 1 (t nnflgjtf iml (inside) 0 litter-list NO NAT 

CKrn A SA Vqi vIoh B/i a n d liter 

j-nr A^A 0,3 iind Inter, wc need to configure the above NAT exemption as following: 

ASA I front! g)N object PCtWOrk ohj-local 

AS A-1(OHiflK-nel work-object) fl subnet 192.168.1,0 255.255,255,0 
ASA I (tontig network-object)!! exit 

ASA* 1 (config))! object network ob|-vpnpool 

ANA-3 ( co idlgrrietwt trio object Jll subnet 19 2 168.20,0 255.255.255,0 
ANA-1 f runflg-nelwork-l>bjet l) !f c xi t 

ASA-1 (m off g) if tint [Jn'ikfc.ontsidc) source static obj-local obj-tocal destination static obj- 

r/bj■■ v |j 11 j mUJI 

* V| 1 V Co nfi rnre Hroilli Policy 

I he Group Policy allows you to separate different remote access users into groups with different 
all r II JiKi'K, V ( fr exam pic System Ad rn I n Istrators can be n ssign ed i n a grou p tiavi ng 24-hours VPN 
art m t while normal remote user can be In a different group with 9am-5pm VPN access, The Group 
Mltyalso provides DNS or WINS server addresses, connection filtering, idle timeout settings etc, 

The command format is the following:: 

^ I tnnfig) t\ grou p pul) cy * policy nctme" interna I 
■ ^ A f<*nn fig | jf gdf 14 j j, |,| 3 1 icy “policy mate? att rl b u les 
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ASA-1(conflg grouP-P? \ (Opti^ 1 ' 

ACL ( onW * ln S with the name -companyvpn-p 0 , lcy . 

jl usc the same group P° ' ^ addresse s so that users can resolve 
Assume that all remote users w- ^ >nd WINS se minUte s. Also, under the Group 

as configured above. This po .<-7 die >d le t,n,C ° U te w hich traffic will pass 

,„«™, . - «*• -»• “ ,n d ' 
spii,Tu * 

through the tunnel from the rente 

lt h a purpose of restricting access from 

- N0T ~ m configure also a VPN Filter' . assume that you want 

Under Group Policy you can co g roroor ate LAN. For example, 

remote users to rortab. IPs or Ports in ^ >( po „ 80 and disallow anyth,n g else, 

remote VPN users to access only a spent lc ■ ^ Cf0 „ p policy: 

you must configure a filter ACL and app y' ^ ^ 192 . 168 .20.0 255.255.25s., 


W J « tl I ^ » W -'K-- 

. i .. ttpiu r i, e nt thev will be presented with a login screen in order 
ralSSSSwe need therefor* to create usernante/password combinations 
for authentication. The command format is: 


ASA(config)# username ‘name" password" password ” 

Example: 

ASA-1 (config)# username user password 1234 
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• STEP 5: CpdREure IP SEC j pKEvl Pgli 

ftiis is similar with site-ta-site VPN. 


(config]« crypto ikevl policy 10 
1 1config^kevl-policy)# encryption 3des 
ASA-1 [config-ikevl - poJ icy) # hash s ha 
^5A-1 {conflg-ikevl-policy]# authentication pre-share 
ASA-1 (config-ikevl-policy]# group 2 
ASA- 1 (ponfie-ikevi-policy]tf lifetime 86400 
ASA ■ l(confilgikevl-policy]# exit 
ASA-1 (config]# crypto ikevl enable outside 
ASA-1 (conEigJ # crypto isakmp identity address 


* 5IEF & Con figure FFSEC Phase 2 flPSFC parameters) 

This Step also has similarities with site-tosite IKEvl VPNs. We need an IFSfiC transform set which 
will specify the encryption and authentication protocols for the Remote Access VPN. Also, we need 
to configurer dynamic crypto map which will be assigned to a static crypto map. 

A dynamiccrypto map is required whenever we have a remote VPN peer with dynamic 
public !P address. This applies in remote access VPN users (their IP address is not known] and also 
in site-to-site VPNs with a site having a dynamic public IP. Also, keep in mind that you must always 
have a static crypto map in order to attach the dynamic crypto map to it. 

Example* 

f Configure a Transform Set 

ASA-lfconfig)# crypto ipsecikevl transform-set RA TS esp-3des esp-sha-hmac 

I Configure a dynamic crypto map (DYN_MAP) 

ASA-1 (config)# crypto dynamic-map DYN_MAP 10 set ikevl transform-set RA-TS 

J Attach the dynamic crypto map (DYNJdAP] to a static crypto map (VPNJVJAP) 

ASA-1 (con fig j# crypto map VPN.MAP 30 ipsec-isakmp dynamic DYNJViap 
ASA- 1 fconfig]# crypto map VPN_MAP interface outside 
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„*&&**><**** 

, Ieac(1 . ss VPN.IlW(«lsH.B«liiT t h e 5n,„p 

Policy »"Bgor«l licfor*.* 1 '* < 

foUO'*" 1 ®’ 

ft> , -T^tniic-l Group ■“* 1 ,c 

Tl " C0 ' nra8 " d * " „ £nM „ iyp* «'V ~££, 

ASA(conflg)* h "' l 'f! nrw'p Wf Wo"Je'" (fl c ™ r " 

ASAIcondgl# tunnel G> »>'l „ s|)ec jfy the same esact nam ewhfn 

The cr^m** 

. „is« n » ^csftwarc, as WC W 


L tv0fi rBmoie access 

sees® nss - r«: r > 

ASA-1 (config-Uin ntl-gtnCTal)# O.upa^vpn-POhcy ^IgBCWlip 

AS A ■ t (config’twin.el-G * 11 eral 3 ^ 1 fi 1 lk 1 1 cy from Step 3 

ASA' 1 (con Rg- lu ntiel-general} fJ e5£i5 

ASA-1 (cenfis )* tunnel-group jr™ 1 '** ‘P“^JJJ’J^plhir 123 
ASA l(c(infif.-timiiel-l|isec)# Ikeel yre shai e.i u y 


• STEP Hr Configure T frf V1 ] N Client SnftWtll c 
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After insU'Hlns llu ' VTN L ' lk '" t '* Urtt,w appUca,tion and select "New“ (see nUw*) to tmie. 
(*pnn^^ in 


\ IH'W 






“’A'M «.- r . . 


*] 


U —■ 

Opirffes* |h^ivlw4 
AlJtwftCJhm | Tfthnpdri, 1^ S*,-kn3 | tij..jlJp, | 


' 0) Al4*X**v «fkl k 

1" HiJualfbiiXfi Aitf# ii. *tui 


Fwmuifl 

Csml<m,Pinpii*ad 



f Cnlh!’ai?-ii#S«Ttcalt,'i 



H*v\~ 

J“ I'll,V i 



1 t.iJf 

Stw* 

CareeJ 



the connection entry (e.g “vpn > *) and provide a description. In the "Host" Held, specify the 


l.iublic IP address of the outside Interface of the central ASA Firewall, The example Image above 
s^yws 172.16*1,1 but this should be changed Accordingly to represent the Outside public IP of the 
ASA Also, on the "Group Authentication* Tab, the Name and Password of the Group mus t be the 
sameas the tunnel-group name and pre-sliared-kcy from Step 7 above. In our example 
configuration, the Group Authentication Nam* Is "vpticllcnr and the Password (pre-sliared-key) Is 
’tTOupke) U3*, Press “Save" to save the settings. 
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* tWllCIWthni« 




tffiwtanlririn gtfyf Cet/fcJta L*J trip 


» J V 



After saving the configuration settings, return to the Connection Entries Tabassfiown a 
the "Connect" button to initiate the Remote Access VPN connection. 


* Vfhfthefarl jo,*. 


* -I 

Xl 


Thj fffl v« (»St 4H7Jeitvd ths to Mn-fieii; :Stf -±tw 

6j1» SlITtlT 


Ut#ftane. Jura 
Pflsm*or4 pri 


OK 


] 


C*ifcrf 


J 


Altci initiating the VPN communication, the remote user will be presented with a iogrrt screec in 
order to authenticate with the firewall. The credentials used in our example configuraton 
4 above) at e Username: user and Password: 1234 





































After successfully outbciulcalliiK with Hie firewall* liu? novum VPN Hennite Arewut ninnol is 
establish'd- if you * 1st the Ipconng/lkU cun numid oil Uic romule Ilsur's computer* you will mo an IP 
jdress Sn tho ratine 192.166,20.fV2 4 aligned Ui tho virtu.fl Vl'N anniei'klmi limnfum Thin will 
IjIp n'cmotti- user to have lull network access to Ike ivmral C'H'ihhmIc l.AN, 

# CTIFP *): Vi’HfUnlinlt 

Mu^v let's verily that everything Is working line. Assuming the remote user authenticates 
successhilliy, we will sec the following on ASAl 


jHSA- 1# show crypto ipsccsu 


iirter/flce; outside 

CrypW m up tag: DYN_MAt* t *x J Jft M OcM? ,73W6liJ 

focal jcTc-rrt ffl.O.frO/O.ft 0, 0/0/0) 

remote Uerrf faddr/mqsVP^O^^^ f J i^55.2SS.2Si25S/W 
cumentpeer; J 35. 12, 101-240, uwnioMie.- osci 
dynamic fl/fciCfftCtf peer ip: 192.168.20 -1 
Mpkuencaps: 4, ifpkts encrypt14, tipkta iltgcst: 4 
ttpkts decaps: 4, ftpkts decrypt: 4, tipkts verify: 4 
-.Output Omitted 


AiMtown above, the remote user 'user - has received# .iyii«»'tc allue.m-,! 11 ,,t 1 J " lf ’ B ;! “ 
we-have packets encrypted and decrypted. 


,1, Also, 
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nec t Remote Access VPNs 

-r AnvConneci 
Chapter" VPN functionality supported by Ci $Co 

l„ ihi. Chspte- J 1 d|eM Any<»"" remot , ae cess VPN lor os.ro, We M |, 

ASA using to. sbov .)°^ er ,unnc ' * in) j IKEvT). Belore moving on to the detail 

^’"^hodi'eflhese^VPN w ,l,is ’"’’’’’’’ga.wecn the R#m0 ** Acces * We,> VPN * ecl ’hologH, 

discuss both of these m t)arison betw 

of AnyConnect VPNs, let’s ^rst 

supported by Cisco ASA firewalls. 


7.1 


cci VPN Technologies 

Comparison between 


Connect VPN solution (to create either SSL or 
In this Chapter we will focus only on the ajentless WebVPN solution because I believe 

IKEv2/IPSEC VPNs). I decided not to bother w, ‘ are much more . To justify what I’m 

r A/-» instead ol 

that the benefits of using AnyConnec and I’m sure you will understand 

saying, let’s see the differences between the two 
why I focus only on AnyConnect! 


VPN client to be installed on user’s computer. It uses a 

Clientless WebVPN does not require any ___ 

— - . nW/foutside address of ASA] the user 

normal web browser. By pointing the browser toht \ ■//{ 

authenticates wiih .he itrewail aod ge,s access io a Web Porcal, Through .h,s Web Portal. Uie user 
cau then access a Mhed nuuiber ol in.ernai applications. Specifically, only internal Web 
applications (HTTP. HTTPs). email server, (POP3. SMTP. IMAP). Windows Hie shares and a small 
number of TCP legacy applications (e.g Telnet) can be accessed. That is. there is no full network 
connectivity with Clientless WebVPN for the remote users. 


AnyConnect VPN, on the other hand, provides FULL network connectivity to the remote user. The 
ASA firewall, working as AnyConnect VPN server, assigns an IP address to the remote user and 
attaches the user to the network. Thus, all IP protocols and applications function across the SSL or 
IKEv2/IPSEC VPN tunnel without any problems. By pointing the browser to 
https://(outside address of ASA] the user authenticates first with the firewall. After successful 
authentication, the user communicates through the AnyConnect VPN tunnel and has full access to 
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lI'C (tfLilftri temple, *he user can open a Remote Desktop connection and access a 

Windows Terminal Server Inside tho central network. Although, a special Java-based client is 
M -^ih' c ^ 1° * lL? h^Udled 1011 uscr 5 desktop, this client can be supplied and installed dynamically 
in the Mswr foot* 1 ^ ie ^SA during the first connection ofthe user. The Java client can remain installed, 
lV rveufitt removed from the user's desktop when disconnected from the ASA appliance. This Java 
■] K wi Is small in Slie (around 3MU) and is stored on the ASA flash memory. 

7.2 Any Connect VPN Overview 


IV Any Connect VPN client protects traffic at the network layer and above (tunnel-mode), It 
provides the same remote access connectivity as the legacy Cisco iPSec VPN chert [i.e fall network 
M(CSS y Tire history of the Web VPN client versions is shown beiow: 


Web VPN Client 

Operating System Supported^ 

_ 

ASA version 

SSL VPN Client (SVC) 

Windows 2000 and XP 

7„0-7,2 

| Original AnyConnect Client 

“Windows 2000, XP, VISTA, 

MAC OS X, Linux 

8.0+ 

-- 


Mew "Cisco Any connect 
Secure Mob ility Client" 



[supports both SSL VPN and 
IPSEC/IKEvZVPN) 


. Windows 7 32-bit (x86) and 
64-bit [x64] 

* Windows Vista 32-bit (x86) 
and 64-bit (xG 4), including 
Service Packs 1 and 2 

• XPSP2+32-bit [x86)aiid 64- 

bit [*64] 

Mac OSX1Q-& and later 
Linux Intel 


9,0(3) and later for SSL VPN 


fi.4 and later for both SSL and 
]PSEC/IKEv2VPN 
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0n tlle 0]der ASA versions 7-0 op to 7.2. the WebVPN client was called SVC (SSL VPN Ciicnt). Ffoni 
ASA version 8.0 and later, the client "as called AnyConnect Wei) VPN client. The newest Anycotu^ 
product as we've said above is called now "Cisco Anyeonneet Secure Mobility Client". 


nvdsrvl^tif A»yf™mect VPN operation; 


The diagram below shows a network topology with ASA and a remote user with Any Connect VPM. 



ust r h.T5 access io the Internet and ham an IE 3 address on his/her laptop interface card of IS.1.1-1 


(NIC IP). The user can also be behind a router doing NAt/PAT and have bis private IP address 

l.i ,10^1.1 ic d t.i ,i public II by the Internet router. When the remote user connects and successfully 

an c 11 enttcac cs to th e ASA with ihe AnyCon neet cl lent, the ASA will assign an in cernal IP address w 

the user from a prefigured IP address range (in our example above, this address range Is 

1 C J 2160 . 5 .T up to 168 5 . 2 D). From the diagram above, the ASA assigns IP 192 . 168 , 5.1 to the 

remote user. This mean* ihatthe remote user is virtually attached to the corporate LAN behind ** 
ASA firewall. 


Tbo wpcraTio n owivlcw desenb*d above assumes that the AnyConncct client Is already to.**<* 
<ht Lets see bet™, the Aval lab It options howto initia||y lnmtl the A.yCwii* 

rhent 




in 


i 


































There are Wo Initial Installation options Pot AnyConnec 

* Using clientless Web VPN portal. 

* Manual installation by the user nr administrator 


connect c] Sen t ■ 



on the ASA Pash 


method in ray opinion because it automates the distribution of the client to the remote users. 

With the manual installation method, tile network administrator must down load the Anyconnecl 
package from Cisco site and provide the file to the users for manual ins tail tation on their laptop. 

With tliis method, the user does uot need to log in via clientless mode to start the SSL Vl J N tunnel, 
Instead, the users can start up the Any Connect client manually from their desktop and provide their 
authentication credentials. 

73 Basic AnyConnect SSL VPN Configuration 

We wilt focus on the automatic Anycunrtect installation option, t.e the AnyConnect client is located 
nn the ASA flash memory and Is downloaded by the remote users. The diagram he low will be used 
to describe a basic Anyconnect configuration. Note that in our scenario here we will setup an SSL 
VPN wuh authentication using the ASA local user database, in the neat sections later on we will 
describe also SSL VPNs using Self-Signed Certificate [ASA working as Local CA Server), using 3 M 
f irtyCA Certificate, and also a Itemute Access VPN using [KEv2/IPSEC with the Anyconnect client. 


1 s now move on to the steps required to setup a basic Anyconnect SSL VPN. 

















Corporate LAN 


Remote Access 
SSL VPN 


flSL 


Rornole \Jt 9 t 






19Z168.1.G/24 


aSa Assigns IP 
Address from 
Range 

192.160.5.1-20 


- STEP!: 


I rnnsfer the Any connect PKGfile to flash on the ASA. First you need to download one of the .pit* 
Wes tram Cisco website. An example Windows client file has the format "anyconnoct-wln. 

KJLBDO£-k9.pkg» p 


To copy the PKG file to ASA flash: 

ASA * *° W <,ftp|,tp|Scp):// ^ rtd^/wyconnct-^ ^^Wg (liskO; 

Assnuic we have downloaded the Anwmnnorr ^ 

19Z168.1.1, We will use a TFTP s ' ’ ' tl cl 1 ent file on our comp uter wi th IP address 

srnrer on uur PC to transfer the file to ASA- 

Address or name 0 f remote host ri 92 ififti 

Access!rig 92 an i'“>" , '' c ‘ w , n-3.1,0 4 07zS ^ J? 

- fit 2 ->SG,U/a O ycon„ e ct.wi„.3.1. 0 « 7 |!p 9ipk£JS! ,, 

* STEP2 f 

Minify the PKf;jrnagefiieon 

lhe '"‘Hn Anycnnnect , e ryj« l & ^ ASA WflCrc thc ^ islocated. Also, enable 

- ervice on the Outside ASA Interface. 
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configure terminal 
webvpn 

A »{coitnE-webvpn)# anyconnect Image ilkhiw, m 

AW(conflg-webvpn) ft enable outside ^ ptinblt' ^ '™ ,n ’ :U oio *2' h 9 l»KH I 

tf t \(tonflg-wchv]n))H utyconitM* enable ^ civihlo ,nv J,lU 

^nflrwebvpn)# exit ^ " hsm ™ rt ™*» 


Note; The number 1 nt the end of the nack. 1 ™ fu* A1 

1 Kl1fiL me ss thy order. It is used when you lutvc more 
than one images stored un the ASA flash fu p Anu^mu^ ... „, 

[ ■& y l (jimpel clicis t J innges For Wintlows a ml M AC). 


i STEF3; 

Exempt the SSL WebVPN traffic from Aeons list cheek, on the outride Interfere. Bydofm.lt, 
WebVPN traffic is not exempted from Access List checks after terminated on the outside i,deface; 
once the tutlfit is decrypted, it is checked by Hie inl o iii l AT 1 applied on outside iutei Tuee. Vo li 
must either Include permit statement, for the decrypted traffic in the ACI. or use the "sysopl 
connection permit-vpn". 

ASA(conftg)# sysoptconnection permit-vpn 

* STEF 4 : 

This step is optional but it is really helpful. All SSL VPN communication between remote users ami 
ASA worlts with secure HTTP* (port 443]. This means that users have to use 
“https ://[ASA public IP]'' on their browse re. Since most users will forget to use "Imps ://T yen can 
set up port redirection which means that if the user connects to F ,c,,it [ M htt|i://“) r the ASA will 
automatically redirect the browser to pent 443. 

ASA(config)# http redirect outside PO 

■ 

* STEPS: 

Create an IP address pool from which the ASA will assign addresses to remote users. From the 

above we see that after the remote user gets authenticated; the ASA assigns an n 3 address 
to the remote user from a predefined pool 192.16&S.1 up to 192460^.20. 

ASAfrQhfieJif ip i oca | poo | VPNpuol 192.168.54-192468.3.20 mask 255,255.255.1) 


II? 














, VrkLt betwten the corporate LAN rework behind (he ASA 

Cm* * user's i.J<lr«s pool (VPNpool], We do this exemption bet** 

a ""', through a NAT operation, This step is of course required only if We 
-tl traffic ffiHSUliil % 


encrypted 
„ se KATonlhe''“ 


Cisco ASA Version Prior to 0,3 


ASAftanfig]# access-dist NO NAT extended! permit ip 192,168.1.0 255.255,255J) 192.1&8.5.Q 

2SS.255.2SSf 

ASAtcandd# n* 0 aoress-lJst NONA! 

/k 5 A(cunfi(- J# n3t (trtSldeJ 1 0.04.0 0,00.0 

ASA[«iifie}» global (outside) 1 interface <- We assume that we do PAT on the outside 

Interface 

Cisco ASA Vrrvioit 0.3 and later 


For A5A EL3 and later, we need to configure the a hove NAT exemption as following; 


ASA[conHg)fi object network objlucal 

ASA(config-network-ob|i&tt)# subnet 192,3681.0 ZUS.255.ZSS.0 

ASA (ton fig-net work-object) tf exit 


ASA(confIg)1f object network obj-vpnpool 

ASA[ci>n flg-nct work-object) fl subnet 192.168,5,0 255.255,255.0 

ASA ( con llg- n e l work- n lij ect) W cs 11 


ASA[conf](»Jfi nat (JnsJd<MJulsidc) source static obi-local ohj-lncaf destination static obj- 
vpnpnnl ul>j-vpnponl no-proxy-arp route-lookup 

* yn;P 7 mnlionaM: 

Similar with the I PS ESC VPN client configuration, if you want to allow users to acxess the Internet 
and also access the Corporate LAN network at the same time, you must configure a Split-Tunnel 
Access Control List 

ASAfconligpi access-list Split-tunnel standard permit 192.168.1,0 255,255.255.0 
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W** rr0nl lllC ren,0te users the networkspecified i„ ,h . 

{rtMOi.W/ 24 ) will vm through the SSL VPN , unnel . Al| ^ 

w the Internet, Note that the ACL created here will he used * ™° ,L ' us,)r wi " 

UN<■ — — —* Practice hecaose allow IZ ! " ^ * W 

„ er „c. and also he connected to the corporate aetwol 

, . . IE netVvor ' ! a t the satn& time is risky (in a l warp fi-nm 

internetsneak m to the corporate network over the VPN tunnel) 


p STEPfr 

Create a 6M-Mat for the AnyConnect WebVPN users, The Croup Policy allows you to separate 
different remote access users into groups with different attributes. The Group Policy attributes that 
can be configured include DNS server addresses, split-tunneling settings, how the client will be 
downloaded (automatically or EiFter prompting the user), if the Anyconnect client software will 
remain permanently on the user's computer etc. 


The command format is as following:: 

ASA(c[mfkg)# group- policy "policy name" Internal 
ASA (cun fig) 11 group-pulley “policy name" attributes 

A&A(co nft g-gro up -po I icy) # vp n- tu n ne I- pro toco I ([ikqvl \ [i Itev2) 112tp- ipsec] [ssl ■ c] ic n l) 1 
ASA(ecmnfi-grunp- pulley) # split-tunnel-policy [tuimelspecified | tunnelall} 

AS A(con flg-gro up -po I icy) W sp I ibtunnel-network-list value "acl-far-split-tanmr 
ASA|co nilg-group-pol icy) # webvpn 

ASA{cnnng-group-webvpn)W anyeonnect keep-installer (installed | none) 

AS A(con flg-grou p-we b vp n) # anyiunncct ask (none I enable [default (webvpn | any conned) 
timechut value]} 

ASAlconfig-giuup-webvpu)# aaycomiertdpd-interval {[gateway {seconds!none }}/1 

{wsotuh f mmc}}} 
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***"■•>»* com,nan<,! SJ,owr,above! 

.»i—« 


*p lit-tunnel-polfey (tilnndspecified | tunnel} «■ Specify M. •'M'd , ralflcw(( 
|1; „ s lhroBgll the ui[iticl ["Lunnelspccifled 'l or whether ALL remote traffic will pa„ Ihro,*,. 

the tunnel I'tumielall ]- 


5pllt"tumiel'Tietwark-llstval ue ’cc/W,Warmer <- Specify Hie Access List /or split lee,,, 
[see Step 7 above) 

anytonnect keep-installer [installed [none} 4" Installed means Ni h the 1 deni remains 
installed permanently on the user's computer even after disconnection. J lie default Is Licit 
the client gets uninstalled after the user disconnects from the Anyrormctt session, It k 
recommended to keep the Any connect installed permanently, so select 'Installed htfh 


any connect ask [none | enable [default {webvpn | anyconneclj timeout value]) f Flik 
coin i [land has to do with flow Any Connect client will he downloaded lo user's cimipiilrr. 

* anyconnect ask none default webvpn 4* The ASA limned lately displays Ihc WiblVrU, 
This Is the default Con figuration , 

* any connect ask none default any connect <- Download the AnyCwmcrt i Urn I 
automatically, 

* aityconneet ask enable defaultaayconnect tfmemft 20 4- The user will \*c\ a pmiupt In 
Instil the Any Connect client. If nothing Is done within 2(1 fref luill*, iho * ll**K wlllhe 
downloaded and installed automatically, 

any connect dpd-Interval {[gateway [seconds } none/// [client {setwuti (< r IW* 

enables Dead Peer Detection (DPD) tnethankio width ctutii pA lhal Iht* ASA 

clEent can quickly detect a condition where the peer is hoi jf^wid IMJLJ ftidf the.. 

has failed- 














Let* 56 * 


ltie actual configuration comm a nets 


ot gi 0 u p -pol jcy for our s pecifi e seena rio; 


lSA(c onfis)* p*up-poll«y Anycannect-Policy intcrM 
group policy Anywimect-Poiiiy attributes 

* vpn-tunitel-protocol 55 ,. tlient ss ,. c , lcntless «. a)low hf>th 

oll nect ssl-cH-ent awl clientless vpn 

P*PoHcy)# split-tunnel-policy lunnelspecified 
*j J i|[cflnfiEg r,:ili P'P D l ic J r ^ s P^ t ‘ turi ne]-n«twortc-list value split-tunnel 


^ A (cCutfie i™ u rP ,lht: > r 5 # dns-server value 192.16S1.IS 
nRg'8 rflU I t ' P *Ucy) # web vpn 

4SA[CO nng&rnup- W ebvpn]# anyconneet keep-ins taller installed 

group webvpn)^ anyconnert ask none default anyconnect 
^(conllg-groiip-webvpn)# anycorknectdpd-inierval client 20 £- The client will check for 


peed Peer Detection every 2o seconds. 


, STEPQ; 

Create a funnel Group. Tire tunnel group must incorporate the Group Policy configured above. It 
alsobinds the Group Policy with the IP address pool that we have already configured tor remote 
users. 


the command format is as following: 

ASA(config)# tunnel-group "tunnel name' type remote-access 
ASA(config)# tunnel-group "tunnel name' 1 general-attributes 

ASA(config-tunnel-general)# default-group-policy “grouppolicy name* ^Assign the Group 
Polio 1 configured in StcpS above- 

ASA{config-lunnel-generalJ# address-pool IP Pool for VPN" 4- Assign the IP address pool 
cor figured in Stepfi above, 

ASfl{config- tu n ncl-general) # exi I 

ASAfconfig)# tunnel-group "tunnel name" webvpn-aUributcs 

ASA(conrig-tunnel-webvpfl)# group-alias ^raupjwmtafjfls" enable Create an alias name 
For the tunnel group which will he listed i>n the logon screen of the Anyconnect client. 

ASAfcon fig-tunnel-web vpn)# exit 
ASAfconfig)# web vpn 
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ASA (c o nftg-web vptt] # tunnel-group-list enable Enable the listing of the alias nameei,^ 

log on screen mftlic Any Connect client- 

Let's seethe actual configuration commands of tunnel-group for our speeiHe scenario: 

I-Ixamnlyi 

ASA(tonfig)K tunnel-group telecom mu tors type remote-access 
ASAfconflg)# tunnel-group telecommuters general.-attributes 
AS Af con fig tunnel genera I) ** <1 e fault-grou p-pol icy Anycon nect-Po I icy 
ASA[config-tunnel general)M address-pool VPNpool 
ASA [co n fig-tun nel -gen e ral) tf exit 

ASA (con fig) W tun nel-group telecommuters webvpn-attributes 
ASAfconfig-lunnel-webvpn)# group-alias sslgroup_users enable Tile name 
("sslKronp.users' 1 ) will be shown to the log-in screen of Any connect, 

ASAfcon fig-tu nn e I - w cb v pn) ft ex it 
A5A[confIg)# webvpn 

ASA(config-webvpn)tt tun nel-group-list enable <- Allow users to select which tunnel group 
to connect [useful if you have multiple tunnel groups) 

* STEP10: 

Create a local user on ASA which will be used for AnyCormect authentication. This user will be 
allowed to have remote network access, 

ASA [con rig) U user n a roe ssln ser 1 password secretpass 
ASA (con fig) M username ssluserl attributes ^ OPTIONAL 
ASA[couf]gMJsernamr)H service-type remote-access <- OPTIONAL 
















7.3.1 Complete Configuration of Basic AnyConnect SSL VPN: 


This configuration is based on the network diagram in the section above. 

This is Inr Cisco ASA V ers ions 8.3 and Inter finHnrtlnp <1 v) 

configure terminal 
A SA(cofifig]« wcbvpn 

A jAtconfie-webvpn)ff anyconnect Image dtsk0:/anyranneet-win-3al + 0+072-k9.pkg i 

AsA(config-webvpii)# enable outside 

ASA(config webvpn) # anyconnect enable 

ASA(canfig-webvpn)# exit 

ASA[config)tt sysopt connection permlt-vpn 

ASA(CDnfig)# http redirect outside 80 

ASAtconfig)# ip local pool VPNpool 192.168.5/1-102. 168.5.20 mask 255.255,253.0 
ASA[config)# object network obj-local 

ASA [config-network-object)# subnet 19Z-I6B.1.0 255,255 255.0 
AS A (conflg* netwo rk- ob ject) W ex it 
ASA(config)# object network obj-vpnpool 

ASA[Lonfig-network-object)# subnet 192.168.5.0 255,255,255.0 
AS A(config-nel wo rk-ob ject) # exit 

ASA(coiifig)# nat [inside,outside) source static obj-localobj-local destination static ohj 
vpupool obj-vpnpool no-proxy-arp route-lookup 

AS A(con ng) ft obj ect network FOR_F AT 

^A[cnnfig-ohj)#subnel 192-1681.0 255.255.255,0 

^SA^conflg- ob j) U exit 

i ASA tconng)#uat tinside.outsldc) source dynamic FOR_PAl interface 

I access-list split-tunnel standard permit 192.168,1.0 2S5.2S5.255.iJ 

1 ^ 

^A[o) n ftg^group-policy Anycoii nett-Policy i 11 ^ 1 tlJ ' 

As %cnfig)# group-policy Anyconnect Policy attributes 
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ASAtconfig-grtnip-poJicy)# vpn~tunnfiJ-pTOtocoJ ssJ-dieiit ssl-dientless 
ASA [config-gro li p-p ol Icy)# split-tun n d -p nli cy tu n n el s p e ci fled 
ASA(con fig-group-policy)# split-tunnel -network- list value split-funnel 
ASA(conf]g-group-policyJ# dns-server value 192.168,1,IS 
AS A(co n fig-group pol i cy) fl webvp n 

ASA(config-grojp-webvpn)# any connect keep-installer installed 
ASA [co n fig-g roup - web vpn) # anyctmnccE ask none default any connect 
as A(co n fig group web vp n) # a ny connect dp d-interval dient 20 
ASA(config-group webvpn)# exit 
ASA (config'gro u p-p 0 1 icy) # exit 

ASA(config)# tunnel group telecommuters type remote-access 
ASA(conflg)# tunnel group telecommuters general-attributes 
ASA(config-tunnel-genera))# dcfcull-group-policy Anyconnect-PolJcj- 
ASA(cunfig-tunnel-gcneral)# address-pool VPNpool 
ASAfeo n fig-tun nel-general) # exi I 

ASA[ttnn E )ff lunnet-group telecommuters Webvpn-artributes 
A5A[rnting*tunnct-wcbvpn)M group-alias sslgruup.usersenable 
ASA (co n fig- tun n d-web vp n J # exi t 
ASA(config)# web vpn 

ASAfconfig-webvpn)# tunnel group I fct enable 
ASA(config-webvpn)# exit 

ASA(conflg)# username k 5 ]user3 password vecrelpass 
ASA(conflg)# username ssluserl attributes 

ASA (to n fig-usema me) # service-type remote-access 
ASA(config)# wr nitm 
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7*3*2 Connection Steps of Bnsir 

i u ''sic Any connect SSI, VPN 

h to ASA on its public outside Httn«//an ?n ™ 

Vou will ge E the Allowing screen: 


wpB^aojajoj 1 



£ Certtf.4it* Er ™ r ww*a^"~ * 


^ there is a problem with this website' security certificate. 


Ihe security certificate presented by thtewcb&ii* was not issued by a trusted oeni(icatt authority. 

Security cBrtifiwI? problems may indrcate an attempt to fool you or intercept any tfata you tend to the 
server. 

We recommend that you eloae tHs webpage end do not continue to this website. 

Click here to close this webpage. 

Continue id this website (not lecommendedS. 

(*) More information 

Notice tliat we get a certificate error. This is because the client Joes not recognize the SSL 
Certificate presented by the ASA firewall. The browser of the client does not see a valid certificate 
signed by a trusted root CA for this connection. In the following sections we will see how to 
configure certificates to avoid this problem. 

If you are on a trusted network with low probability ol ''mati-in'the-rrtiddle attacks, you can click 
"Continue to tins website", 

2- Inter your usi-n'iiai n e and password configured on A S AjVjCjihjscil**l*rtglilA 

After you dick on "Continue to this Website 11 from screen above, you will be prompted by the ASA to 
W username and password which corresponds to the local ASA user we have created. Note 
a hs that the CROUP name “sslgroup.users" corresponds to the group-alias name configured in 

of the configuration. 
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r . 

*£g> 


r j to»« enter ywir uMrnams and pa twotd 

GROUP: f vht Oirp^ti^rs v | 


U3EPNAMP 

pdiicwl 


password: 




[ Login | 



3 - C)lck^.o id n!_ao_frrri i eif zbovCs 

Alter you provide the correct credentials above, the ASA will automatically try to download and 
install the Anyconncct client Uj the computer of the user This automatic downloading and 
Installation is: dictated by the command "anycomtcct ask none default anyconncct 'asdescried 
in the ASA configuration above. You car change this behavior accord!ngly {see Stepfl above), 

Uy default, the new Ary con tied Secure Mobility Client version 3,1 and above will block your 
correction because the ASA is un trusted (due to unknown certificate}. You will get the PoJkwdtig 


error message. 































n 


CISCO 


WebLaunch 



Uslnp AcUv&X f 0 | Installalion 


pAnyCennect Secure Mobility Cflent tWlcadw 

C • T>^ -- 

rvx 


.a 


L ayn^linfl frftp MirConnMl Sec^f Mst>i :rt-,- C\s rn 



The ArtTfCOrmect Dowrdwd* v r update nSn^s... , 


imJ 


AnyCcnn tct Dortnaloi dtr 







Blocked 


It:. 



Qwi$eSetting... j [ Kkp Me Safe 


Tlieonly way to get rid of this message is to click on "Change Setting* above. If for example you are 
ronneeted to an open WiFi connection where the probability of being attacked by "Man m the 
Middle' is higher, you should not try to connect until you get connected to a more trusted netvvoi V. 
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messaB ‘ abwe " tbe , " sa,lat ™ wiU aw ^ 
.,„ [lie SC[Uri ly settings of yoni' browser you will 6 ei some more certificate erro* aBJ 

Zr warning message, CHd. to continue again an„ the installation wt.i proeee.1« ^ 



^ WibLauncK 

Pl&tfonn 
"* ' Detection 

” -ActiveX 

Q - JavaCestrOion 

D -davi 

^^ '.r i^c 11 i L 1 iji t 

□ -CpnFPcled 


Uirn 0 ActiveX for instanation 


Please edoK at tne top of your browser for the information 
bar: _ 


|^\7 hi s^temiight r f Qua e'ihe foil 


- ... :yZ--._ M H 1 ' '■ 1 


Wtat's tfiB Risk? 
Information fiar Help 


To proceed ™ib set up, select "Jnstall ActiveX COntrOT. 
If you are prompted to Retry or Cancel, select Cancel. 
Contin uing In 10 seconds I s kip] . 


Help 


Download 


Mole that the Anyconnect client Is delivered by the ASA to the user using cither 1 ActiveX or Java, If 
one of these methods fail the other ore is used- 

S, iftheautotugiic Web Inst allation fails vou cm do si manual install . 

if tii e Installation fails to complete because of the security settings of your browser or computer, 
yem can cl ids on "Download" button above in order to manually download the Anyconnect Client 
and install iL Clicking on the "Download" button above, you will get the following screen: 
















































WebULUnch 

Platform 
^ * Detection 

Manual Installation 

Web-based Installation was unsuccessful. If you wish !o 
install the Cisco AnyCanneci Secure Mobility Orient, y ou 
may download an installer package 

y; - ActiveX 

Install using the Jink befow: 


[ ] J»vji Dclecboo 

Windows 7/Visl a/€4^XP 


Q • jwj 

Alternatively, refry tf>e automalic instailaijon 

V -Download 

f"] - Connected 





" Download 


Help 


1 


Click on the Hyperlink shown above as " Windows 7/Visia/64/XP " and the Anyconnect client 
executable will be downloaded manually from the ASA to your computer. Run this executable In 
order to install the Anycortnect software to your computer. After installation is finished, you will 
find the'"Cisco Anyconnect Secure Mobility Client" under your program files on your Windows 
machine. 


6, Run tbe Anycnnnert client 

Run the Any connect application and enter the IP address of the ASA. Click Connect. 



































7, Succes fu l Connection, 

irihe connection is successful you con see statistics (Bytes sent nnd received) and the IPaddiTti 
assigned to your client from the VPN Pool configured on the ASA, See screenshot below, 

Prom now on you are fully connected to the remote network. You am now access Servers taut 
a p piicsti 0 ns on your corporate 3J1N. 
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1 y ■ m jl. . 


t VC^d Siruvi Mctifiiy Clum 

-*r-< 

>lli«li» <■ 



V, WUWiPNra®, •' 


. ; - 

Virtual Private Network (VPH) 

Ifrefevra*] Stotaba f PilS'frftcMl ] 

i; r---—— 

Connection Information . - ---— . 


suite: 

Conrsectwl 

Tlmel Mode (IPv4): 

Spitlndwdt 

Ti4Tnel Mode [tPvSji 

Drop A1 Traffic 

Durawn; 


Atfdreis Information - - 

———- - 

Ctent (IPv4): 

1$2. 

Cl$nt PPV6): 

Hot Av 0 i4b^ 

Server: 

30.30,20.2 



o/tes 


Sait; 

069 

Received: 

M2S9 


Frizes- 



Reset ' ' import SuS.^ 



7.4 Anyconnect SSL VPN using Self-Signed ASA 
Certificate 

By default, the ASA security appliance has a self-signed certificate that is regenerated every time the 
device is rebooted You can configure the A$A to issue an identity certificate to itself (called self- 

slgrted certificate) which remains the same even when the device is rebooted. 

» 

On the haste Anyconnect scenario above we have seen that we've received a lot of error messages 
due to SSL certificate problems, Basically the client does not trust the ASA firewall because the ASA 
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presents a certificate to the client which is tint Aped «* » lrUStnl U ° n( ' ,h<f raslest to 
Ltd these certified te error, is to crr,,e a Solf-SIgn*! Melttily Certificate on the ASA, expert On, 

certificate from ASA and install it on the client machines as a treated CA cert.llcale. 

Ofcoursethis is not an ideal situation hut it'sstlll a viable 0 |.lton for some-enterprises. The Idea, 
case would be lo purchase ait SSL certificate for the ASA ((dentil/ Certificate) from one of the 
trusted 3" 1 Party Certificate Authorities out there (such as Verisign, Thawte, entrust, DigiCettetc). 


Those trusted root CAcertificates are already pre-installed In almost all client computers (windows 
oi. browsers etc already mist them) so you won't have Id Install any certificate! on the user's 
computer. However, in lire case which we rvlll describe here (where we have self^ned certificate,. 


we will have to install the Identity Certificate of the ASA to all remote users computers in order to 
trust the SSL VPM connection with the ASA and avoid those annoying certificate errors, O/coirrse 
this is an administration burden if you have many remote users but it can be an easy [and free] 


option if you don't have too many users. 


Below we will see the configuration steps required for creating a self-signed certificate on the ASA 


* Stepl; Configure Domain Marne and Clock on the ASA 
Whenever you are working with certifiea.tes J it is essential to have correct dock settings on the ASA. 
Also having an FQDN [Fully Qualified Domain Name) assigned to the ASA device will be helpful for 
the remote access users to easily identify the certificate presented by the ASA, Let's now create an 
FQDN and configure correct clock settings. 

AS A (con fig) a dock set 11:40:009 Nov 2013 
A$A[config)tf hostname asafw 

asarw(«uilig)# domain-name mycompany.com <■ the FQDN will beasahv.mycoDipany.coni 

It is recommended to configure the ASA with NTP (Network Time Protocolj so that it receives 
accurate clock from an external source, butforthe purposes of our example here we have just set 
the correct clock locally. Also, the FQDN of the ASA must be registered to a DNS server so that 
remote users will access the ASA with its FQDN which will be resolved to its public IP address 
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ac0 e$s the ASA (With the Auyconnect client m with a browser) by IP, then the user will gel a 
certificate error. 

* <rp| i2: Generate HSA key pair 

]]i PK1 (Public Key Infrastructure), you need to generate a public and private key pair- When you 
generate an R5A key, the ASA will generate two keys (public and private), USA uses a public 
key /private key combination, the public key in this pair can be known by anyone and can be 
distributed widely without issue to encrypt or sign messages. 

asafwtcoaflg)# crypto key generate rsa label myrsukoy modulus 1024 <- generate art USA 
beypair with name "myrsakey" and 1024 bit modulus 

!Verify the key generation 

asafwfconfig)# show crypto key mypubkey rsa 

Key pair was generated at-11:48:23 F-EST Nov 9 2013 

Key name: myrsakey 

Usage: General Purpose Key 

Modulus Size (bits): 1024 

Key Data: 


30S19B0 0d06092a 86438frf7 0(1010101 05000381 Bd00308L,. (output omitted) 


* Stcu3: Configure a Trust Point for the self-signed certificate 
ATrustPolnt" is a special "container" configuration which includes all the details required to enroll 
the ASA device with a Certificate Authority (i.e to create a GSR - Certificate Signing Request}. Under 
a I rustPoint configuration we set parameters such as how the ASA will enroll with the CA r what 
ftSAkeypairwitl housed, what will bo the I5N [Distinguished Name) of the device (configured with 
the "subject-name" command) etc. After creating a certificate for the ASA device, the TrustPoint 
WJ H he associated with this certificate. 


l i 
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In „ U r example here, the enrollment method defined 
that the ASA will enroll to Itself (Le It will generate a 

willactasaCAandsigti its own identity certificate. 


in the TrustPoJnt will be "self. This means 
self signed certificate). In other words, the AS* 


asarwCconfig)# crypto ca trustpoint SELF-TP 4- create a trustpoint with name SELF-TP 
asafw fcnnfig-ca-trustpoint)S enrollment self <■ ASA will enroll to itself (self-signed cert) 
s$afw(config-ca-tnjstpoint )U fqdn asafw,mycompany.com The certificate will be assigned 
10 this FQDN, This MUST be the same with the CN name below. 

asafw (co nfig- ta-trus tpoint)# subject name CN^asafw.mycompany.com ^create a DN for this 
device, CM (Canonical Name) MUST be the same as the FQDN above. 


asafwfeonfig-ca-trustpoint)# keypair myrsakey f 1 his trustpoint will use the fiSA keypajr 
created in Step 2 above (with label "myrsakey') 
asafw (ca n fig-ca-truslpoa nt) # exit 

* Stcp4: Generate the self-stuned certificate 
Now we will enroll the ASA ta a CA using the settings of the trust-point above. If we don't use "self 
enroiiment, this corcuttiind will generate a CSR (Certificate Signing Request) which you have to send 
it to a 3 fd party CA in order to sign a certificate for the device. However, in our scenario here, the 
command in this step wil! generate 5 self-signed certificate for the ASA. 

asafw(conflg) ft crypto Ca enroll SELF-TP ^enroll the ASA using the "SELF-TP" trustpoint 
settings. 


Now the ASA will ask you a few questions as shown below: 

% The fullyqualified domain name in the certificate will 

% Include the device serial number in the subject name? tyes/nlfi na ' 0fnpanycom 
Generate Self-Signed Certificate? tyes/nof:yes / 


The self-signed certificate should be generated now. Let's see this certificate: 
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3$afw(«mfig) # Show crypto ca certificates 


Certificate 
Status: Available 

Certificate Serial Number: a2047e52 
Certificate Usage: Genera! Purpose 
Public Key Type: R5A [1024 bits) 

Signature Algorithm: SHA1 with RSA Encryption 
Issue r Name: 

hostna m e=asa fw.mycompany.com 
cn =a$a fw.mycn m pa ny.com 
Subject Name: 

hostname - asafw.my com pa ny.com 
cn^asafw-mycompany.cQin 

Validity Pate: 

start date: 12:42:19 EEST Nov 9 2013 
end date: 12:42:19 EEST Nov 7 2023 
Associated Trustpofntst SELF-TP 

Notice frotn above that the "Issuer Name" (Which is the CA] and the'Sabject Nanse [which is the 

device which will use the certificate) are the same, This is because the ASA acts as a CA to sign its 
ovvu certificate. Also, this certificate is associated with the "SELF-TP" trustpoint- 


* Step5: Assign the TiustPomt to the outside interface 
The trustpoint above which is associated with the ASA self-signed certificate must be assigned to 
the outside interface which is going to terminate the SSL access from the clients. 


asafw(config)# sst trust-point SELF-TP outside 

* Stepfr Export the self-signed Identity Certificate of the ASA 
As we have said hefore, we need to export this self-signed certificate of the ASA and import it to the 
clients as a trusted CA certificate. 










nsaf*(Mitfl|dtt c»|Hc» eft SKU-W IdeiilUriWllhW 
the P&M tnn-iicAn/ iiiepit^ m tt/Iarte/idU^ 

sSSSSS^^ 

TKTF&IhV b Y2tixt)*AN JtyNWMflTlPwtfrNNIh’tfK■' ^Mwl * mj ,! k * 

■CU' r ;I IWHiSl’Wf T 'fJ &x1 U Mirl-.J^ l MJf I * - J* J U ^ 1 m * 5 

HftcNMTM.dH M5M rMMfftlVhr NMjMxA I TtfUrMN/SS U it b rr fi W MM nil WE 
£’rnVu 17y«^NflUWVVJ%rlfrrrtfrfrrrNlu'jr Ml f.-UfiVI J itfitih WCAfaFW%Vl iM'- '^ L; ^ 
Y2 toeGFueWMASGA 1 UftCti UrtVjJXJi4tllixllDtU %N«VU MH£ft Vl i ?-?£ w ( 5 1 - ><?f 
cGflicSSjMfa WJfllifl frit tGtovOFCQ! UTC ft V l VSCttm 151- 9um^SjKih^Z;^' 
DQY}koZlhvrNAQEBJiQ<\ i) }t WM tfWJAoGliA Nyx WBfOL+hWQH I * 1 1 

Qr/cZA m rm 4 M£Wnvl3fPiiftt l-lr 1 pW/mhHS'mGXmhQGU l Q^Utt'KSf I VFITt 
m >k+* Mtfud \ ^xShmpQtvuitewM 

olQlnVQ IjHRAti* IBAA fovIXWJKomw'NAQKFnQAl*}} Y&ti * TFFaQw F4*ni&i34 F{U 
e6RJwgOtiiEA7j?MexEDlai}*y2DCQ 1oe($\VM TOKltfU/ySt IjxXdtxWQk C 

UFWtf T6tHmiki3/7Ri>smBU03 HWJJI ktyS5Vqkxr<Xtij\\ m f2etiZQYKirQXtDk 
9*}Qa$ti/WrGuSYnV0KQVoU* 

—EMi CERTIFICATE . 


ilie above command will JLsplny on the terminal screen the Identity certificate of the ASA in PEW 
format From above, ropy the mtilknte text from the terminal (all test Including the names 
---IthCilW cm l IF1CAI E-— and—I;Hi) CERTIFICATE™') and copy it to a tost editor. Save it with 
extension .pem filename will bo Lixnrcrt-pem) 


* SJ . VI'7. Imimrt t |.r M-lf-stott-tl Ident ity Covttll.,,.,. „i the ASA into II.,- r lion I 
nurhhio 

By "Mutually >■*««« .he ASA «lhtg"5t( ft rtUlc«t..,. thy user* ,«acltliuh «* nuke sure that the 
user will have the actual ccrtUlcat* of the ASA anti not a r^ue certificate which might be present*! 
lo the user by a ni'm-tiHhemmldlc attacker. 

p E M'^ri;i o ^ 

■ w *• >■* 

* Right Click on “Trusted Root CerUfiriilm. . 

uncatiou Authorities* > All Tasks > Import 
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# follow the wizard and import the PEM file 
lienee the Anyconnect client) will trust the 
s [)cLit certificates etc. 



no error warnings, 



7.5 Anyconnect SSL VPN using Certificates from the 


Local CA on ASA 

On the scenarios above we have seen first a basic Anyconnect SSL VPN configuration without any 
certificate configuration, and then we have seen a basic Anyconnect SSL VPN with self-signed 
eertifitate an ASA, Both oi the scenarios above have used basic username/pass word authentication; 
forth* remote users. 

How we will describe a very interesting case which you will not find anywhere else. We will use the 
bocal CA [Certificate Authority) feature of the ASA appliance for issuing signed certificates for both 
the ASA device and th e remo te users i n ord er to i implement Certificate Eased Authentlcation for SS L 
VPN, in addition, we will configure also Local user authentication, essentially having a two-factor 
authentication solution [Certificates + User/Pass), 

The ASA's Local CA Server provides the appliance with a basic level of Certificate provisioning 
functionality. The primary use of the Local CA is to provide registered users the ability to enroll for 
certificates, which can then be used with features such as SSL VPNs or !KEv2 Remote Access VPNs. 
5?e the diagram below for our example, 
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Corporate LAN 



Remote- User 


192.16Bl.0tt4 


From our diagram above, the Local CA on ASA acts like a basic internal private Certificate Authority 
server. This private CA can issue certificates to both the ASA device itself and also to remote users. 


Please note the following keypoints when configuring a Local CA Server on ASA: 

L When you enable the default Local CA Server on the ASA it will create some default settings 
like 1024 bit modulus, a CRL Distribution Point URL etc 

2. Enter a strong passphrase to protect the CA's private key. 

3, Add a user to the database of the Local CA server and create an OTP (One Time Password] 
to be used by this user for enrollment to the CA. 

4, The URL to be used by the user for en roll ment to the CA and for clown toa di ng his/her 
certificate is littps://ASAHostname/4CSCOCA+/enroli hi mi 

5. U ser must e moil a nd download the user certificate fro m ASA. Th is certi ficate must be 
installed into the certificate store of the user's computer. 

By enabling and using the default Lots] CA Senior yon go, the following default settings: 

* 1°™, b ;'7"f'“ S ,nd (this can be changed, up to 2048). 

A CRI.URLofi http://ASAHostnarae/+CSC0CAe/a5it.ca crl 

I °L?:f‘ l ? N , (l,nlKS ^ s P ef l^ r different tssuer-name). 

Lie fault iiorage of CA files in local flash. 

So by enabling the Local CA Server on the ASA ltlslike having a private Certificate Authority s*"* 1 

,,V IC, ‘”" * ,0 * enm “*nd Sign certificates for the users and for the ASA itself This 
unctionahty can be used to replaee the self-signed certificate provisioning which we have 

7 i ‘ ,0,epra ' iCUS stc tlnn- That is, instead of generating a seLf-signed certificate on the AS* 

ntinuj..! importing this certificate to the remote users, now wt* will enable the users to 
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W U1,1 heir browser to 4 Special URL on the ASA and using an OTP (One Time Password) 

rtiUllH* 1 

II t !|,rtvnli'atl a I'ROS 1 2 certificate which will be generated and signed by the Local CA on the 
llh | | 1| | 1 . pKUS 12 certificate will contain both the Local CA Certificate and the user Identity 

, ik, iloubbe-rlitklug on this PKCS12 certificate file, Windows machines will automatically 
! f iiitili CrrinhiiteS (CA and User Certificate) into the computer's certificate store. 

I ii^Yi' InnetloimlUy will provide a trust between remote users and ASA and avoid the SSL 

, erroi’5^ However, we will take this one step further: By generating a PKCS12 certificate 

jUltUlvH™ ^ 

hr iIlu ASA itself and then importing this certificate Into a Trustpoim on the ASA, it will be like 

lL certificate fur the ASA using its Loral CA. Therefore now we will have certificates for both 
||m „ m u! Users signed by the same trusted private CA (Local CA of ASA] and we can per form 
Or fill cate Based Authentication of the users. By enabling also LOCAL AAA (Local User 
Authentication), we will essentially provide a two-factor authentication scheme [Certificates + 
Uwr/i’ass) for the remote users. 

i 

Ufa now proceed with the actual configuration and hopefully everything will be clear. Please note 
\ lhaE the cere Anycunnect SSL V PW ronfifibratfon is the same as the sections above (basic 

Any connect) so we will reuse several settings from tli e previous section and will not explain all t h e 

configuration fur Any connect here. 

t 

i 

* S'l'Krii 

When using certificates it is essential to have correct clock settings on ASA and also have a proper 
V'QDN domain name assigned to the ASA, 

S ASA (ton fig)« clock set 2t:5£kO(J 25 OCT 2013 

! IsA(conliglf# ikmialn-natne niyeompany.com FQlW will be ASA.mycompany,com 


! It's even better if you setup NTP on ASA so that the dock will be retrieved from an Nl P server. 
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S1TT2: 


EnaMea »^n« P .n : .««^' CAScWrt,,,ASA - 

ASAiconfigP <W l * ti VI ' ti-'noin^iiUiress lticalCii@mycom|iaiiy k com ^required 

^SAfcwfirifi ^ L ‘ r ^'J suWccl-name^lcftiult CN^ASA, Ositliyccmijiaiiy, C=US 
ASAfcoung ca-scrv J MfetIlwS ca^ertifidlU 1095 <r CA Un t lifetime is LcmiUyg 
ASAjconffg # , |fct|me «rtlflcate 365 <r Certs issued by Mils CA life 365 (tm 
ASAftt*r‘ _l» ‘ r v^ i^n^r-naiiic CN"ASALO€Al.CA + C-US, ST-kansas* L^Iawrentc, 
£ S m ^ou-vea.rity <-Dtstinqnlsh«J Name uf the Local CA 

ASAfeonfig-ca■ server)tf keyslzc server 1(124 irslt.e ofkeyjKiir for tho Local CA server ( Ca 

up to 204^ bib] 

ASAfconRg ca-server)# no shutdown 4r enable ilie CA server 

% Some server settings cannot be changed after CA certificate generation. 

% Please enter a passphrase to protect the private key 

% or press return to exit 

Passphrase: {Enter strong password here} 

Re-enter passphrase: * ******* r * 

Key pair generation process begin Please wait.. 

Completed generation of the certificate and keypad, 

Archiving certificate and keypair to storage^ Complete 
INFO: 

Certificate Server enabled. 

A5A(canfig-ca-server)tf exit 


To verily that we have a CA certificate in places 

ASA (coofig] W show crypto ca certificates 


CA Certificate 
Status: Available 
Certificate Serial Number; 0,l 
Certificate Usage: Signature 
Public Key Type: ftSA (1024 bits) 

Signature Algorithm: SI1A1 with RSA Encryption 
Issuer Name; 
cn-ASALOCALCA 
c=US 
st=kansas 
htawrence 
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0 =n:yCompuny 

Qii=s$curity 

Subject Name: 

^-ASMOCAICA 

C-US 

StzkaitsaS 

tfowrence 

QMfl&cmpany 
Oti=.security 
Validity Date: 

start dat& 14:00:03 EEST Nov 6 2013 
end date: 14.-00:03 EESTNov 5 2016 
Associated Trustpolnts: WCAL-CA-SERVER 


%oaUA'sERVER‘ C * """ ASA “ Wi " auto ™a«lly createaTrustpoint with rame 


* STEP3; 


Add a user in file CA database and authorize it to enroll with the CA Server using an OTP [One Time 
Password). By adding a user to the CA database, the CA stiver will sign and generate a certificate 
forthe user III PKCS12 format (when the user enrolls via a browser). 


ASA(config]tf crypto ca server user-db add renioteuserl dn CNsremotenserl f create user 
in CA database and also assign s CA’ name which must be the same as the username, 
ASA(eonfig) If crypto ca server user-dh allow renioteuserl display-otp ^ allow the user to 
enroll and display Its enrollment OT P on screen. 

Username: rentoteuserl 
OTP: 8B5FBD064620843F 

Enrollment Allowed Until: 22:36:09 UTC Moti Oct282013 


By using the displays keyword above we have chosen to have the one time password shown to 
th« screen instead of via email delivery [you could enable email-delivery of the OTP if needed). Mow 
the remote user needs to enroll with the CA which is easily done using a web browser. The remote 
user can access the enrollment page at the following UP!,; 

h ttps://AS Alms In a me/+CSCO CA+/ei i rotUi1 in I 
la our scenario above, the actual enrollment URL will hei 

h ttp s://asa. my com pa ny ,c«n»/+CSCOC A+/ei i rollli t ml 





The picture below shows a screen 


of the enrollment 


window for our example above. 



... »**• 

cisco 



Username 
One-time Password 



Submit 


Reset 


NOTE:T)n successful authentication 


ooen or Save the generated certificate 
install the certificate in the browser store 
Close all the browser windows, ana 
<;<ii vpn connection 


As you can see from above, the Local CA on ASA will ask the remote user to login in order to 
download its PKCS12 user certificate. Use the username and OTP from above in order to enroll the 
user to the CA. After clicking 'Submit", a certificate with filename "remoteuserl.pl2" will be 
generated and downloaded to the user"s computer. 

On Windows machines, by double-clicking this certificate file a wizard will start to help you import 
this certificate in the computer’s certificate store. When the wizard asks you to enter the 
password of the private key, then simply use the OTP password used above . 


This PKCS12 file contains both the user certificate and also the Local CA certificate. The user 
certificate will be automatically imported in the "Personal" certificate store and the CA certificate 
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wilt b* ' rtl P ori4?d 1,1 llic ' 1 Rlsled ^*>ot CtrtlncsiiI<Mi Authority sum?. You can nm Uia 
'(flrtnifir-nwf window top) to view and manage the certificates, 


(fytf u *> « ri ^ 11,31 lhe U5er ab0ve has been enrolled successfully; 

^5^# show CT U' ptl ‘ t Cil server u -^r-dh 

^.nertiMtmserl 
(Writ <*>"* 

, j^s^remoCftrivrl 

d J LluVlf: Z2;36tf9 UPC Won Oct 2^2013 
1 times 

fJ1 fi^FFJ?nf Enrolled, Certificate valid until 23:28:30 UTC Sat Oct 25 2014, 

ftaevrak Mowed 


Asy^i 


can 


see above, the user 'remoteusert" has enrolled sucvcsfuly. 


sxmt 


One of the tasks of this scenario is to implement certificate based authentication for the remote 
cseTS-This means that the user will authenticate to the ASA using its certificate, and also the ASA 
mil present to the user its own identity certificate for validation. Ef both certificates are signed by 
the same trusted CA (he the Local CA of the ASA}, then authentication will be successful, 

•■• r , r j e f m issue a certificate to the ASA (identity certificate], we will have to somehow enroll the 
^SA as a. user to its own Local CA. \usK like the step above, we can create a user in the CA database 
which will represent the ASA device. The username must be the hostname o f the ASA fhl 9MT 
«r .^ in a he re the ho^nanie of the ASA device hannejisJn? he ihc rtiiin e "&sa ). Then, using a VC we 
m connect tc , the enrollment URL on the ASA and enroll this user into the Local CA, This means 
flat the tnel CA will sign and generate a PKCS12 certffleate which will be downloaded to the PC of 
i fleidminishaiOT. After that wewill install this certificate in the ASA device (instead oFthe user's 
oonjuter as WC did in the previous step]. 

letTseethe commands and procedure below; 

ASAtccnrtgO* crvpto ca server user-db add asa dn 4~ nw** 

Cl,=jH J n>[om P .my.coni,C=US,ST=knnsas.l=tiwrenct',0=mycon,|,.,i>y.Ol Y * 

««. in C* database with name 'asa" which is the hostname of ASA device. Also assign n 1)N, 

«AI»nSS*c O P to ca server osertfb allow asa display otp <r allow the user-asa" to enroll 
** ^ its e nrol I meat OTP o n screen. 












t/jemome: asu 

OTft £2194 722D47SA34A 

Foment Allowed Until: 23.30.0? UTC Mon Oct 282013 

Now. just like Step 3 above, visit the enrollment URL. 

https:// a s a .myeo n ipany.eom/ + €SCOCA*/enr 0 U.ht m ! 

And enter the credentials of tire user [usernamee asa and OTP= E2194722D475AS4A) 


The CA will generate a FKCS12 certificate for the user "asa". Download this certificate file [jsa.pijj 
on your computer- 

NOTE; As an administrator of the ASA firewall, you can enroll the user "«■’ from the inside 
network. To do this you must enable webvpn on the inside as shown below: 


ASA(config)# wehvpn 
ASA(config'webvpn]# enable inside 



Then you can access the ASA from its inside IP address: https://l92T68,lrl/+CSCOCA+/e nrajril[ral 


/ * STEPS: 

f' Now the ASA administrator will have a PKCS12 certificate file ["asa-pH') which corresponds ta the 

ASA device. We have to import this certificate into the ASA. We have two options to impart 3 
certificate: either using the CLI or using the graphical ASDM firewall management tool. 

OPTION 1: Import the ASA Certificate usimi the CLI 

This certificate is in binary format, so you will have to convert it into "baseW' format [PEM 
format), t have used a Linux tool called H openssr to convert the file as following: 

root @li mix:-# op enssl ba se64 ‘in a sa.p 12 -out asa, p en 

Now the new converted file (asa,pent) will be in clear text (a bunch of numbers and letters) wl 1 ' 
you can open with a text editor, 

Now that we have a base64 encoded certificate file from the conversion above, we need 
this certificate into its own Trustpoint on the ASA. Tills certificate file will contain both m 
Certificate for the ASA and the CA certificate which generated it. 














ASA(conftfi]» crypto ca import TRUSTPUINTI pk«12 E2194722D47SA34A 

fnwr tiie base 64 encode d pkcsl2, 

foul with the ward "quit” on a tine by itself: 

MJtLYglBAzCCCxwCCSqGSIb3DQEHA<iCCCwOEgg$jmLBTCCCwEGCSqGSIb3DQEH 

AoCC€vlE9gruMIIK6jCCA3oGCyqG5lb3DQEMCgEC(}HCpTCCAqEwGwYf<KoZIhv<;N 

AQwBAzAWAjq * defy7CBcQWAQSCA oA tyKQt.N7PirF5+10kzdXPr07c WFYb 1 OjD 7 
i5wlBDGzuxrZ2Lf604v+Tg8h 6xRM u Hn+ YAcuqvJSyQx&yAa63 UMOhyrda BAbsK6m.,.[Output Omitted} 

quit 

WFO: Import PKCS12 operation completed successfully 


The command above asks the ASA to impart a pkcslS certificate (with password 
E2194722D47SA34A which is the OTP generated when we enrolled the user "asa") into a Trustpoint 
with name "TRUST POlN Tl". 

The firewall will wait for you to paste the hase-64 certificate- Open the "asa.pem'' file with a teirt 
editor and justcopy/paste the certificate into the terminal window on the ASA, Type in "quit" on a 
line by itself. This procedure imports the certificate into the ASA device. 

QFTION 2: Import the ASA Certificate using the graphical ASDM 

You can connect to the ASA using its graphical management tool (ASDM) in order to import the 
“asa.plZ" certificate without having to convert it to hasefifl format . 

Under the ASDM environment, go to: 

1 

Configuration > Remote Access VPN > Certificate Management:* Identity Certificates 
Click cm "Add" button to get the following screen: 

4 

% 

„ A 

< • 

t . 

•i 
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HP-*-, 




j Add Identity Certificate 
TrustpOhtFlartWI Tfl.uSTPOff'fTl 

9 Impof t the identity certificate fp&m a fie (FKCS12 ftnwat wAth Certlfka.re(s) +4*nvate Hity)i 




Decryption PasspNKe: 






Ffc to Impcct Frpm: Ci'vssa.plZ _ 

Q Add a new den&iy cef(fi«te: 

IfeyPafc; |-Wone-_ y] S ■ f 

CeftftciteSdbjectDNl J Ol-w aftw^ 

^Gerer#!* sdffl^F+d ctf tfeate 

; ' Act 34 tocal <tf tfi»Ee authority arid issue dynamic ces b f cates Ed 715-Pf a* y 


Advanced. 


I WdCerbf^tt 


Cwxe1 




Change the Trustpoint Name to a unique name "TRUSTPQ INTI''and foe the "Decryption 
Pass phrase” use the OTP we have generated before [Le E2194722 D475A34A). Atso select the 
certificate file to import"asn.p 12" Clicking un “Add Certiftcate - wllt imp art the PKCS12 certifieste 
without having to convert it to base64 format. 

- STEP 6 : 


We need to use the Trustpoint created above for SSL certificate validation on the outside ASA 
interface. Aln-O,. we need to allow ssl client connections to be validated by this Tru-Stpoint using the 
“client-types" command. 

ASA(conflg) N crypln ca trustpolnt LOCAL-CA SERVER 

ASAfronfig-ca-trusi point}* no client-types {-First disable ssl client validation by the default 
1.0CAL-CA-SERVER trustpolnt 
ASA( confiq-ca -tru&lpoi n t] # exit 

ASAlconflgl# rrypto co trustpnfTit TRUSTPOlNTi 

ASA [to n ng-ca4ruit point) ff client-types ssl {-Enable ssl client validation by this irttstpoini- 
ASAfconlig-ca-injstpoIntlN exit 

ASAfcuoflgJfl ssl trust-point TRUSTP0INT1 outside {-Apply this Truslpoinl on outside 
interlace In order to be used for SSL certificate validation and authentication. 
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* 'sTEP 7° 

-■ y re (he rest of Anycon n eCt settings as WC haVc already done on the previou s sections f Haslc 
^■connectconfiguration]. That Is. configure Croup Policy, Tunnel Group, VPN pool NAT 
*gjnptto.rt etc. We will not explain these here again. 

, STEPP: 

^j e Local username authentication as well as certificate authentication^ 

^(copfig)* t , s crnamC remoteuserl password secret pass ^-create a loci? I user with some 
-i n a me the one cre;,te ^ in CA database [Step 3). 

tunnel-^roup telecommuters wehvpn-att tributes 
^^Qupg-iunnel-webvpp)# authentication aaa certificate ^-enable both ana loc^l 
^[hentlcatlort togetherwith certificate authentication. 


If you have 


Followed every step above, remote users will be able to use Anyeonnect For remote 


i 


access S$L VPN and be authenticated with both certificates and username/password. 

To verify the above use the folio wing: 

ASAfcenfigJtf show vpn-sessiondb detail anyeonnect 

frwiaw Type: AtyCannect Detailed 

Usermmte : rematcusert Index : 7 

AssaneiiPilKMSl Public IP ; 195.14.24.12 

Protpfol ; ArryCcmnect-Partnt SSL-Tunnel OTIS-Tunnel 

License : AnyConnect Premium 

Encryption ;ftC4AESl28 Hashing :SHA1 

Bytes T* 1 12202 Bytes Rx . 9616 

PJitiTx ; 18 PktsPx :S3 

tins Tx Drop r 0 Pkts Rx Drop ; 0 

Qroup Policy : Anyconnect-Poiicy Tunnel Group: telecommuters 

fmitpur omitted} 

AnyCannect-Parent: 

To bwwI FP ; 7.1 
tutiiciP : 1951 424.12 
Encryption :HC4 Hashing :SHA1 

Bmjmlotion: TL5vl.O TCP Pit Pon ; 443 

AwCih Mode : Certificate and userPassword 
Wte Tims Ouc 30 Minutes idle TO Left : 26 Minutes 

Otarf Type : AnyConnect 


'! 


I 


s 
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i Authentication Mod'll used ts both CcrtJllcstp 2nd 

As you can sts from the output sbovfi, the A 

userFassword. 

This concludes our Local CA example here. 

p lw£ nott that t, avoid problem. with the specific scenario above, it is better t0 have the 
Anyconnect client software pre-installed on the remote user's machine instead of having ,h, users 
downloa d the A nyconnect i mage on deman d. 


7.6 Anyconnect SSL VPN using 3 rd Party CA 

In the previous section we have discussed SSL VPN with certificates issued from theLocal CA server 
that can be enabled on the ASA device. The Local CA on ASA provides basic functionality and may 
not be suited for large scale certificate management. Many enterprises prefer to have their own 
private CA server to issue certificates or even prefer to purchase certificates from external 
commercial Certificate Authority companies. 

[n thi s sectio n we will d escr ib e h &w to configu re the Cisco ASA to use cert j fi cates from 3 rd Party CA 
for SSL VPN with Anyconnect. The 3^ Party CA can be either a private CA controlled by your 
enterprise or an external commercial CA. The configuration on ASA is the same pn either case 
{private CA or commercial CA). 

We will use a scenario in which we have a private Microsoft CA tn our network controlled by avr J-T 
department We will generates Certificate Signing Request [CSR.) on ASA and then we will 
manually import a digital certificate from the CA into the ASA to be used for SSL VPN. 

Using a Microsoft Certificate Authority server is a popular option used by many enterprises. 

Another option for private CA could be the "openssP package in Linux OS. 

The actual configuration of the Microsoft CA is outside of the Scope of this book We will see oflly 
the ASA configuration below; 
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J , sU n.m a O"> r,1,( ste|M ,l ' 1ulr “ J »«*lKiWnM« W : 




you EiiuJiL hiivqliolh an 



t Create a CSR far the user, 

, Sign the CSR with your CA server. This will generntn a user Cerl I (train. 

* import the User CertJficate to the cl)tnt computer 

* Import the certificate of your CA to the client 

^ t ' S se & the ASA stops below: 

* sTEFl: 

You must have correct clock settings and also a valid FQDN fortlie ASA which must he registered 
a preserver. Then generate an RSA key pair f public and private key for the ASA), 

[config)tfhostname asafw 

a5 jhtf[conflE)#domaIni-name tcstrompany.com <-FQl»N will he iisnlw.Lcstcompniiyxtxii 
a s 3 fw(conft£)# cryptn key generate rsa label myrsakey modulus '.204)1 4-gi-iu?r;ilc rsa key 
The above will generate an RSA key pair (2G4B bits) with label mime "myrsakey*. 


* STEFZj 


Now wc need to gen crate a CSK from the ASA. First create a Trustpolnt In which we will define how 
thE ASA will enroll with the CA and several other parameters For the CSU, 

asafw[conflg)# crypto ca trustpolnt TrustpoLntl 

mfw(confIg ca tru$tpolnt)fi enrollment terminal we wM manually enroll in the CA 


*aMwnng-ca-lrustpoiiit)S asafw.tMtcoinpany.com <-IQl>N La be Included in cert 
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rtd kevoair myrsakey ^LTse RSA k W air ycnoraled inStc pl 

dsafwfconfig ca trustiiOLii M P 

aafw(«nn^c»'lnistpofnt)#Mtt 

3safw(coitfis)# 

jslOTE: *. Cental Nanie (CN) above MUST be the same as d» FQDN ol device 
will get error messages' 


1HW— , crypto co enrol! Trustpointl generate a CSR uoing tho settings in 
TrUftpoIntl 


Alter you execute ihecrrollmebt command above you toil I be asked some questions frcmth eA SA : 


% Start certificate enrollment- 

% The subject name in the certificate wifi he: CN=asafw.t£StcompaTiy*bQtthC=US f $T-kQtisa$ 
L^icwrgnce.O-testcomp any,OU-security 

% The fully-qualified domain name in the certificate will be: Qsafiw.testcompany.com 
% Include the device serial number in the subject name'/ [yes/no}: no 
Display Certificate Request to terminal? {yes/noj:ye$ 

Certificate Request follows: 

.....BEGIN CERTIFICATE REQUEST -— 

MIIBaDCCAQkCAQA wlTESMBAGA 1 UEAxMJY21zY28u Y29tMRcwFQY}Ko2!h vcNA QkC 
FghiaXNjb2FzYTCBnzA NBgkqhkiGSwOBA QEFAA 0B}QAwgYkCgY£Ayh:44MPUPEp8 
oSqfiEpSjflkGoUSl QvGfBQ U/HpDhl u 9MKM/c92DvJZnA rC RH W8fi hfti$+7DsPNA WRz 
ZbeErkQC9bo37gnCHJhH9Qmiu050fbywTsitTpCYVQl4RoGA/yKnz+3eIPdNZ6TxH 
7 cl byWoNbPJRKqH$A cGzZjb GJM iQ cOcCA wEAA clA z MDEG CSq CSibSD QEJDjEkMCIw 
Cw YDVR&PBA QDAg WgMBMGA 1 UdEQQMMA qCCGNp c2NvYXN hMAO GCSqGSibSD QEBSA UA 
A4CBA D CuCPqsB Gj I AM64qF6WU+ Rey/Yuo/bfbl Fbl MmhOq Wp3g +cp Y2b9X5ZfimS 
oZQkI}FiyaQ$] TEPc8FK3 Ttihi6djMvCmyLDgCG YstlKQD7Pk2te462b9QG/$gf 
0 Wx7A +nx3U*glAo/BTxbiuhAvps UIiA+rey3U6 YSjfVNlsUG 
" —END CERTIFICATE REQUEST— 


Redisplay enrollment request? [yes/no]: no 


Now copy the Certificate Request from the CLI terminal as shown above and paste it into a tetf ii ,f - 
a hts file is the CSR of the ASA, You need to send this file to the administrator of your company^” 1 
server (or to an externa] commercial CA) in order to sign it and generate the Identity Certificate ft* 
the ASA. 
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# vr.Mi 

^*XhS *• «- «"- w b * r r if 

■■» ■«* * *• " k risr" 

.wjl»u ri ' tc ''^ (i ^!' d Certificate fram the CA serve rj you need to import this certificate 

C^' a * Pf ’ m ™ tZ*ZT 6 ^ni Sfcp[ > imn . ,,,t 0 py/P Sl certificate in CLl 

* ftc r ^ fU 4 U the ton™ ltd below. 

«ryptr^ r;i Import Trustpointl certificate ^-Importcertificate in Trustpointl 


,.■ ptefuily^ {i f ,<;(f domain name in the certificate wilt be: asajw.testcompany.cam 
r ter tiie ***** f} * c ^rhfiCQtc, 

fy\d ifffih mri * on a ift}e by itself 


CBRTHdCA TE~— 

m 0 FAwWAf}tttA 7A NBgkqhkffl wORAQUFA DAcMRowGA YD VQQDExF&VOEi AJ 

tfjqyt/SStihfRF4Lm5tttDA eFwQxMzA 4M?£wNDAxMD FaFw&xMjA 4 MzAwNDAxMDFa M SwxGjA YBght VH 
iMTBUPTQTiMyb Tft Lmdti YXgubm VOMfGfMA 0GC$qGSlb3DQFBAQUAA4GN 

tuffiA a- . [output omitted} 

r^ENO CERTIFICATE—™ 

Yn u must type ' quit" In a new line 
fWO; Certificate successfully imported 


« STKP4: 

h^ve said before, we must have a combination of both the Identity Certificate and the CA 
Certificate Inn ported in the same Trustpoin tin ASA in order to have a completed certificate chain, n 
Step3 ^bcivc we have Imported the Identity Certificate. En the Step here we must import the CA 
certificate In the same Trustpolnh 

How in order to get the CA certificate file, it depends on the CA you are using. F-or a Microsoft CA 
^rver vow can connect to the Web GUI of the server with a browser (usually the URL is 
htW/sei'verlP/certsrv) and select the option 'Retrieve the CA Certificate d Download the CA 
Certificate as Dase64 format Open it with a text editor and copy the certificate to clipboard, 

Now we reed to import this CA certificate to the ASA: 

wMconfig)# crypto ca authenticate Trustpointl 4- the -authenticate'- command is used to 
Import a CA certificate Into the trustpoint 


Enter the base 64 encoded CA certificate, 
End with the word "quit" on a line by itself 
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sasss&sesssaa^S“ 

Certpwte b«s 7?f\^Zfh4^ee62e(i70d 

Fingerprint dec02adb d3a?7Qe* 4afl>*P* 

Do you accept this certificate? (yes/noj: yes 

Trustpoint CA certificate accepted* 

% Certificate successfully imported 

IMpotot Tru^ntl^J no* 


Vfri i JtAiion: 

asafwtcfliiflKjtf s!™ w crypto ca certificates 

/ fMf is the identity Certificate of the ASA 

Certificate 

Status: Available 

Certificate Serial Number : 01 

U&qpe: Gefleraf Purpose 

public Key Type ; H£4 (204# 

Jjfjflatore ylfoorftfm: STOU with RSA Encryption 

issuer Name: 

go -adm in @testcompany. com 

cn*lntemalrootca 

ou-security 

o-testcompapy 

l=lawrence 

$t=ftansa$ 

c-US 

Subject Name: 

hostname-asafw.testcompany.com 

cn-usufw. testcorbpany com 

c-US 

st-hansos 

l-tawrence 

a-testcompany 

ou-security 
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ifnfiditV Date: 

* Zrt date: 23:0519 VEST Nov 5 2013 
nit fat* 23:05:19 EESTNov520U 
^odated Trustpointsi Trustpointl 

. is the CA Certificate (Issuer Name and Subject Name arc the iamej 

CA Certificate 
Status: Available 

Certificate Serial Number- OQad/c7eaf667edl87 
Certificate Usage: General Purpose 
Public Key TyP e; RSA ( 204S bits) 

Signature Algorithm: SHA1 with RSA Encryption 
Issuer Name: 

i a=adaiiri(h i testcompany.com 

enminternalrootca 

ou=$ecurity 

Q=testcompany 

Lawrence 

st*kansu$ 

c=US 

Subject Name: 

eo=adm in@testcompany.com 

cn=internalrootca 

oU'Security 

o-testcompany 

hlawrence 

st=kansas 

c~US 

Validity Dote: 

start date : 22:07:13 BEST Nov 5 2013 
end date: 22:07:13 BEST Nov 3 2023 
Associated Trvstpofnts: Trustpointl 

* STEPS; 

So far we have treated the Trustpointl which contains two certificates (Identity + CA certificates). 
This Thistpoint will be used for SSL validation and authentication on the outside ASA interface. 

asafw(coitfig)# ssl trust-point Trustpointl outside ^usc Trustpointl to validate SSL 

certificates on outside Interface 

* STEPS: 

Wow if you want you can enable certificate authentication oi both AAA and certificate 
authentication* 

asafwfconfigjtt tunnel-group telecommuters webvpii-attributes 
usa fw (co n fi g- tu nne I - web vp n) # authentication aaa certificate 


1S3 











* mm 


„ „ ijwi'ui Unrale usings CA server and int Nrl iu 
For (he rtinoici useivyo" mhim (juiiewWJ 1 y! ?' ‘ must import ilicCA certificate to the x&J? 
On? ctriifiiaie tlurc of (he user's nwiPpiilJ'r- a™ - J' w m create a certificate trust W.^ 

Ir* u Triwxl Mont CA.Alt.-r «'•»*'«« »« *“■> y *"• 

(lac rtf mile user ami ASA, 


7.7 IKKV2 Remote Access VPN with Anyconnect 

Cta»*.. tl>« end-or-llfu of Its nJtivo IPSecVPN cli.-nt software hut It is uw 

. _„„„* HJprti [version 3.x and nbovej, In the pastwcharf 

IntimllngilMr fPSec iuppott In H" Ai.yci.miMt. mm l™ 

- „ 111t i fjnp for SSL VTN- Now we have a single 

I wri different remok acctiiS cllenl (ft {me for I■ S« ™ « onc & 

. hm ,|. ipcpe as w e|| as SSL remote access VPNs. This 

remote access client solution which supports both IE Sl.c a* wui ^ 

new solution Is colled'Cisco AnyCuimccI Secure Mobility Client . 

IrHhkstctJofl we will discuss the configuration of Remote Access VPN using 1 KPv 2 JPSEC, rhe 
client which will 1)0 connecting t° lb* ASA Is Anyconnect version 3.x (and above) and will useixita 
iPSfiC I nslead of SSI,. 


Jn lipe diagram sliown klew, si remote user wants to connect to the ASA using tKl£v^ V PN and 
wa fns to access the hosts 192,1601-101 & 1 92, 1 fiail02 on the corporate LAN. 

flemtmher that the configuration of IKlivZ remote access is a mixture of the IKEv2 generic 
cooilgurolion that we f ve cove red In the siiedo-site exercise before And the existing 
AnyCooned/SSL configuration .so it leverages most of EEie existing configuration commands that 
you might already be familiar with (that's why you will nut find loo much explanation on the 
commands below) 


fT*. 1 mm Is He? 


Just like the SSL VI'N we hove seen before, make sure that you have an Anyconnect image 

MjprrHl on the ASA flash, k Is generally a file with .pkg extension with various operating 

. . . irK ‘ h,dwJ ,J1 hs filename, For example, anyconnect-win*3,1.04059-k9.nl£gi 

7™* Pkg. Here Win represents Windows based 

machines anti macosit refers to the MAC operating systems. 

You must have an XML profile which will hn „* w f , 5 

->*--*-*» ^—1 (ibw ir,“; jsrsssir *** p 

ISA 















You must configure art Identity UTtifkate on the ASA (either a self-signed certificate or 
obtain a certificate from an external CA, or even use the Local CA as we have seen before). 



* Slept: ConDfcure!KEv2 Policies and IPSec Proposals 

Nate that you can reuse these from the site-to-site ]KEv2 exercise before. 

vpnAsafcuiiligJtt crypto tkcv2 policy 1 
vpnasaiconfig'iltevz policy]If encryption aes 
vpny so (eon ry^-lkevZ-policy)# integrity sha 
vpna$a(conllg-lkev 2-policy)# group 5 2 
vpnasaicortfig-lkcvZ-policy]# prf sha 
v PHasa(conng-ikev2-policy)If lifetime seconds B6400 
v P«asa(conngdkev2-policy] # exit 
v pnaiatconnfi)ff 

^PHa 5 a(cftnlVg]# crypto [psecikev2 ipsec-proposal A f S J[3 ' 5 . 
'pnasa[conf[g-lpsec proposal]# protocol esp encryp on 
^ nas:i (conf3B'ipsec-proposal]# protocol esp Integri y s 
v l >na Sa(conflg ipsec -proposal] # exit 


































crypto key generate rsa label rsakeys modulus 1024 

process begin. Please wait,. 

v(^ia^wuflg)# cry pio ca trustpolut SEIF-TP 
spnix^^^nftg ^a-trusipQiot)# enrollment self 
v p«*$4cw&(Vg-ca trust point) # fqdn vpn a sa my com pa ny com 
v -c-a trustpolnt)# subject-name CNavpnas4Jiiycoriipany.com 

vyma^LcviilVg-ra-tnistpetnt)# key pair rsakeys 
, s >pTvis^(ronflg'ca-trust point)# exit 

\paasj(cenf\gj|* cry pto (ienroll SEiF-TP 

N, ^ you vjtf gjrt sowe questions from the ASA as shown below; 

At f \ VV^uJyM itOmofri rECjiw ixi the certificate W?W be: vpnasa.myconrpanycom 

A» '’so'^tV cV JW^v si ,r iuf Rti-mhrr in the sub/Vct name?[yes/no]: no 
(rVncfvorSft'^S^jwd Certificate? (yes/no]:yes 

tHwedsw with certilkale configuration, verify that the certificate is enabled anct va]i 


\ y ivivy lcontljit} * show cn ptoca certificates 


•SSJjW stve^uW 

tVt-A>ltcSrrwl ,V^iVr 26JJ96&2 
I'suy*: Cetwruf purple 
a.\V A‘*> ti {v: ft** (1021 bits) 

^arafv’v A>.vi:Htv SHU wtrt fcSU fticoptfon 


7? t7 










!ssv* r ^flpnoso.wyoompaoy. 

°’"p°»y com 


com 


err 


Svb)*^’^ aa sa.mycompany.com 


!>V‘ 
if< 


'^sa.inycowpany.com 


Dote: 


925-21 EEST Nov 27 2013 
i 9 -2S:21 FEST Nov 25 2023 
repaints: SELF-FF 


^alconfig)# crypto ikev2 remote-access trustpoimSELF-TP <- S et t | 10 trus . nrl(rl[ 
' P ” i Hi ed above as the remote access trustpointforikev2 ‘ p nt 

, 1 ,nasa(c° nfl S) # crypto ikev2 e,iablc outslde client-services port443^enable client- 
services. Client services enable software updates, profiles, localliation, etc. 


vpnasafconfigl# ssl trust-point SELF-TP outside ^client-services run ever SSL, sq specify 
jj 0 ^ ie trustpoint to be used for ssl as well. 

# StepS: Enable and configure the Anyconnect client on the ASA under Webvpn 

Tlie following commands were used also in the SSL VPN Anyconnect configuration so no 
explanation will be provided here. 


fpnasa(config)# webvpn 

H pnasa(config-webvpti)ff anyconnect image disk 0 i/anycoimect-wiii- 3 . 1 .D 4072 -k 9 .pkg 

h-pnasa (confi g-web vpn) # anyconnect enable 

fpnasafeon fig-webvpn]# enable outside 

vpnasa(config-web v pn}# tunnel-group-list enable 

vpnasa(config-webvpn)# exit 

. stonfi: fnnfioure a Group Policy and ajlosJl^^ 

vpnasa(conrig)# group-policy Anycoimect-Policy 
vpnasa(config]# group-policy Anyconnect-Po icy a ^ sS i-cliejit 

vpnasa(config-group-policy)# vpn-tunnel-pr 

rpnasafconfig-group-policy)# webvpn installer installed 

vpnasatconfig-group-webvpnjSanyconnect Keep ^ c]ient 2 0 

vpnasa(config-group-webvpn)Wanyconncc . nrte default anyceanect 

vpnasa (co nfig- g r o u p- web vp n) #any co n nee 
vpnasp (co n Rg-grou p-w eb vp n ) # exit 
rpna sa(co n fig-gr on p -p olicy) # exit 
v Pnasa(config)# 
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vpnasa(conOg)* km ,e ! c "' ” J "! “ 1 rl I h . 

UMintl ffWip lctoonii.uH* i * t>< ... 


...■* 


vnnasafconfl^tt liiimelfinviili »clwm mniler* wrf>v|Mi-Allr(.. 

vpiiasii[c<mll(;-timiiel^wrltv|in]rx ^rMn|wi»' IN ... 


4 Stmli: freMe Inml ns r rs for; nr Mir nJJj£>1 ! M 


vpnasatconng)# username lkcv2u$er password svartiuiw 

* Sten 1 ): Create an \MI, imiliI p for Anvcmniert a n 1 1 n»HV.MJH j 4S4Jt-l'(i 


This step is Important here, in the previous perilous for SSh VI J N[ we l»;i ve.-m'i talked about tfic 
Any connect XML profile because It was not mandatofy, UowmTu for \KKv2 IPShC VPN with 
Anyconnert you must configure an XML profile which will duuijjo the IholnCoJ li» he lift'd Piy 
Anycunnect client to IPSec from SSL [SSL is [he default), This XML prolife must hi? copied to ihtr 
Flash of the ASA and also must he copied to the remote use/* mm pul or. 


You can create the XML profile file manually with □ text editor or you c;m use the A.SJJM to generate 
one, A simple XML pro file with filename "ike d£pm file.xml" li.et heed cum led and In shown IwWr 


<?jtml version oncoillng*njTIMH> 

< AnyConncctProfile xmins*" hti p://seh enmx m Iscl.l pa * re/c n m<11 n tf/ m > 
<Cliemln|Ualiiatlon> 


< W J udows V I 3 n Esiabllshme ut > Al 1 0 wJU'moi 0 1J s*o rs </Wli 11 hi wi VI P N Us t, 1 hJIsli ment > 

< Windows Logon E nfo r»menl> Si ng I eLogt tn</ Wiru lows Um ui I hi force meal* 
</aicntlnUlaltMii0n> 

<ScrverLlst> 

<HostEiury> 

‘"“ItjT’ //Specify We ... 

c 'h™ p t, T V| ! I, m a ‘ myram V im y «»«</1 Iftst Address //r qlJN of Vl*N Raiewny 

c/iio,rr^ T > nOCO > WK/Prirtiwyhrotocol* //SHed|psi-:r: p. oloc ol liisimil of SSL 


(/] tost Entry* 

</Server List > 

</Any Con nert Fro fit es 


I 

k 


Noti« above Ih. 1 t we have h-mTh*! Uir TrlinaryProiocur a , -(PKct.-. 


Wf,r lh( XMUI * ibov <’ "> asa n ai h (utinK rrn> for . V1mp | r|: 


15b 




























.u^conflg^how ll.ivli 


vp« 


,03 527 Noy 19201317:20:24 Ikev2pn,f,lejml 

a|m>, thl* XML profile must he copied to the computer of the remote user. For Windows 7 
iiunputcrt the profile above must be copied to the following path: 

G\ProgramDala\Clsco\Clsco AnyConnect Secure Mobility Cllenl\Pronie 

formally the profile above Is downloaded automatically to the computer of the remote user when 
the user connects to the ASA with Anyconnect for the first time. However, if you use IKEv2 the user 
wl || not be able to connect at first place, so the profile won't be downloaded. Hence you must copy it 
manually to the user's machine. 

. Step 10: Hind the XMI. profile above to the WfhVPM r.roun Policy 


vpnasa(conn e )» welivpn 

vpnasa(conflg-webvpn)lf anyconnect profiles lkcv2profile dlsk 0 :/lkev 2 profile.xml t-speeny 
the location anil filename of the XML profile 
vpnasa(conflg-wcbvpn)« exit 

vpnasa(config)W group-policy Anyconncct-Policy attributes 
vpnasa(conng group-policy)M welivpn 

vpnasa(config-group-webvpn)M anyconnect profiles value lkev2profile type user ^-.issig 
the XML profile to the appropriate group policy 


, Stent 1: Export the self-signed Identity Certificate of the ASA 

As we have seen in the SSL VPN using self-signed certificate before, we can export the certificate of 
the ASA and import it to the clients as a trusted CA certificate. 

vpnasa(conflg)# crypto ca export SELF-TP Identity-certificate 

See the steps in the section about SSL VPN using self-signed certificate for the procedure to import 
the certificate to the user’s computer. 


Verification 

As shown „„ the screenshot below, the Anyconnect client is connected using IKEV2/IPSEC protocol. 
Also, you can see all the details using- 
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vjmgsatconflg)# show vpn-sessiurtdfo detail anyctmnect 

Sessfopi Type: AnyConnect Detailed 


Username : ikev2v$er index ;2 

Assigned IP : 192J68.20.1 Public IP ; 212.3ISO. 12 

Protocol : lKEv2 IPsecOverNatT AnyCarmect-Parent 

License ; A nyCon nect Prem ium 

Encryption ;AES128 Hashing :noneSHAl 


- <-p —^ikcrzxe; 


! Cisco AnyConntct Secure Mobility Client 

i i' >'W" ■ 1 ' 

* r " 1 x ' ■* ■ ■- ; ■ J" ‘ • *' ‘ * > f •- • . 


. . v 


N 3 






- . ‘ 


i mki 


\ 


Virtual Private Network (VPN) 

PrefererKes I Statistics j ftmte Deiife 1"ftftwiT[ Message Hstory 


© 





C, 1 T ■ 


■ I II I * ■ * 


Diagnoses,., 


.....- 

1 Control fri mes —— 


Sent: 

32 

Received: 

39 

Client Management 


Admirislrative Dom^n- 

Undefined 

PrgfSe Name: 

itev2profile.#rt 

T ransp ort Inform atio n 


Protocol: 

IKEv3/IPaec NAT-T - i 

Cipher: 

AES_129_SHA1 

Compression: 

None 

Proxy Addfess: 

No Proxy 

Feature Configuration 


FIPS Mode 

Disabled 

Tps u-hnrj hU-hWllIf nn-W-r hfmL 

nisahle-vl _ „ ., 

Reset 



u 


[ ExjMCt 


State- 


'j 

i 


■ 

i 
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Chapter 8 Configuring Firewall Failover 

SAFlr^U 15 a critical component of any network infrastructural 
enterprise amices depend on the availability of the Firewall appliance. Firewall 


^uudaricy 


is therefore a must in many network topologies. 


Jfl Oto Chapter we will describe stateful failover in Active/Standby mode which is the most popul ar 
configuration In most networks- ASA supports also Activc/Attlvc failover mode which however 
[( quires special configuration using multiple firewall contexts. Also, Aclive/Active failover does 
-part VPNs which is another limitation of this redundancy mode. 


3.1 ASA Models Supporting Failover 

At die time of writing this book, support for Aetfve/Standby (AS] or Active/Activc (AA) failover is 
*s following 

► Older ASA 5500 Models; 

o 5505 Docs not support failover 

o 5510 Base License ^ Does not support failover 

o 5510 Security Plus License ■> Supports both AS and AA failover 

o All other models (5520, 5540, 5550,5580] -> Support both AS and A A failover 

* &. *l Ten era Lion ASA 5500-X Models: 

o 5512'X Base License Does not support failover 
o 5512-X Security Plus License -> Supports both AS and AA failover 
o All other models (551S-X, S525 X, 5545 X, 5555-X, 5585-X) ■> Support both AS and 
AA failover 

















8.2 


Understanding Activc/Standby Failover 


, , , __ (J1 ic oftlif liri'wall un«s In failuvcr |>.ilr is 

In ill Active /Standby (A/S) mode of operation, out. 

InanAui / , . .. r „ nc ,|, ms .TIie other firewall unit In the 

assigned the active role, handling all traffic ®nd security functions. 

& v n ie t . ov cr .ilt the ir;ifHc in the event of H i 

pair remains in standby mode mUh|(b automatically take over 

failure. 

Tire stateful failover feature pusses connection state Information from Hie atllvc to the standby 
unit. After failover occurs, the same connection Information Is available at the standby unit, which 
automatically becomes active without any user irafllc disconnection- I lie stateful 
information that is synchronised between active and standby units Include global pool addresses 
and status, connection and translation Information and status, TCP/UPP states. Hie translation table 
Tor NAT, the Allf table ami many other (Mails, 



The network topology above shows a firewall failover pair | n an Active/Standby setup. The 'inside' 
Interfaces are connected to the same Internal switch and the “outside" Interfaces to the same 
external switch. Also, a cross-over network cable Is require between the two appliances as a UN 
Failover Link. During normal operation, all traffic passes through the ACTIVE unit which controlsa 11 
inbound and outbound communication. In the event of a failure of the active firewall (e.g Interface 
failure, whole appliance failure ete) r the S I ANDIl^ unit takes ever by receiving the IP addresses of 
the ACTIVE unit so that traffic will continue to flow without intnrniption. All the connection state 
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knowledge of the established (lows when It takes over the traffic. 
yn Hover Remdroments: 

There are several hardware and sollwaru requirements br die iwo fire wall units In order to work 
in a failover configuration: 


* Must be of the same platform inodel. 

* Most have same hardware configuration (number a ml types o I interfaces). 

* Must be in the same operating mode (routed nr transparent,, single nr multiple context), 

* Must have same amount of Flash and RAM memory. 

* Must have the same licensed features (eg type of encryption supported, number of contexts, 
number of VPN peers supported etc), 


• Proper Licensing. As we Vo described before, the ASA 5510 and ASA 5512-X must be 

running a "Security Plus' 1 license in order to support failover. All the other higher models 
support both Active/Standby and AcUvc/AcUvc modes without any special license needed. 


LAN Pullover Link: 


As shown on our exaui 
between the two flrew 
dedicated Ethernet int 
be either a cross-over 



In the next section we 
fa hover. 


will discuss all technical details for con figuring Stateful Actiw/StamJby 










8.3 Configuring Active/Standby Failover 

ACTIVE 



Inside 


Outside 


LAN 

Failover 

Unk 


INTERNET 


Lns-ide- 


Ouliidei 


Returning to our example failover network topology, we will discuss the step-by-step process of 
configuring two ASA Firewalls in Active/Standby Stateful Failover setup. 

. STEP 1: Prouare the Primary fA <rivel Firewall 

Select one of the Firewall appliances to be the ACTIVE unit- Attach a network cable for each 
interface you plan to use on the Active Firewall unit and connect it to the appropriate switches The 
Standby Firewall must he disconnected lor now. Set the Active F, rewall interfaces to fixed speed 
and duplex mode. For example, use the commands speed 100 and duplex full under Interface 
Configuration mode. Also, enable the PortFast feature on the switch ports connecting the Firewall 

interfaces. 

Reserve two IP addresses for each Firewall network interface and decide which one wlI) be 
assigned for the Active and which for the Standby unit. The two IP addresses for each interface 
must be in the same subnet For example, in our network diagram above, assume that for the Inside 
interfaces we will use 192.168-1.1/24 for the ACTIVE Firewall, and 192.168.1,2/24 for the 
STANDBY firewall. Also, for the Outside Interfaces we will use 100.100 X00.1/2+ for the ACTIVE 
and 100.100,100.2/2+ for the STANDBY. Select also a private network subnet that will be used for 
the point-to-point Dedicated LAN Failover Link [Interface G0/2 in our example above). Assume M 

we will use 192,168 99,0/2+. 
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IV , [c , w l!<()“ te ,,ovtr ,a " “ ,,U b ,r>mar >' I <-Set the u „| t as prttn8ry 


1 _ .. I ,_i ^ ^ W 17 *-! 1 j. _If m 

SSt; 



a Physical 


Failover 



ASAtwnUg)* faJlover Enable the failover mechanism 


t,r 4 rirji h j ffo-r Primary firewall!; 

^CnVE-ASAfconfig)^ interface GlgabitEthernctO/2 

ACTTVIf-ASAfcDnflgdJ)# mi shut 

ACTIVE-A5A (con fig jit failover Ian unit primary 

ACT1 VE -ASA(conrig)if failover lan interface FAILOVER GigabitEthernet 0/2 
ACTIVE ASA fcon fig)8 failover link FAILOVER GigabitEthentetQ/2 

ACTIVE AS/l(coJ)fi K )# failover Interface ip FAILOVER 192.J68.99.1 255,255 255 0 «andbv 
1 $2,168,99,2 J 

ACTIVE-ASAfconflglii failover 


■ hll I1_ Mfuture Interface IP addresses on the Primary fActive) Firewall 

.'^ih firewall interface in a failover pair must have two IP addresses assigned one as the active 
ricMreisand another one as a standby address. Before configuring anything on the secondary 
firewall, we need to configure IB addresses on the Primary unit. The command format is; 


ASA f conflg) u Iniei fa ce {Physical or Logical h i terfoce) 

A.VA(configdf) if i p address "Active Unit IF* "netmask Jl standby “Standby Unit IF 














Vx Mupic fkir i'mm> !xT! 

ACTIVE - ASA (co nflg] # rface 0 IfiaM tEt,l€ r nCl ° ^ 

ACTIVE ASACconlle-iOff name |00 

ACTIVE-ASAfccinflg-l0^ s&cu* ily-le 255.25S.2SS.CI standby 192,168.1.2 

ACT!VE-ASA(coHng-if># *P- d utEttort^/0 
ACTIVE-ASAfconflg)# interfa«: ClgaWtE^r ndw 

ACTIVE ASA (conn fi'iOtt namc ’ f 

^ddr^lOO .1 00.100.1J5S.25S.MS.0 standby 100.100. 100I 

. ctep ,. r.I,-ore Monitoring nM! !«g ^ . » f < ActiV ^ Fir ^ 

One of the events that triers the Failover mechanism is the failure of a Firewall interface. We 
nee<l to specify which Interfaces we want the appliance It. monilor in order to switch overtc the 
Standby unit when that interface fails. In our example above we want to monitor both Inside and 

Outside Firewall interfaces. 


The command format isi 

ASA(config)# monitor-interface “InterfaceName'' 

Example ffor Primary Fircwallh 

ACT IV E- AS A(conflg) # monitor-interface inside 
ACTIVE-ASA[cnnflg]W monitor-interface outside 

]f either the “Inside" or “outside" interfaces fail, the Active firewall will switch over to the Standby 
unit You can exclude interfaces attached to less critical networks from affecting your failover 
mechanism by using the no monitor- interface [interface name) command. 

. STEP S: Configure the 1-AN Failover Link on th e Secondary fStandliyl Firewall 

After the Primary security appliance is configured, we now need to configure the Secondary Unit 
Theonly configuration required for the secondary appliance is the LAN Failover Link. Power on ax 
secondary appliance and connect its interfaces to the appropriate switches. DO NOT connect die 
LAN Failover Link between the two firewalls yet. Connect with a console cable and setup the 

following comma rids: 
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interface CigHbUEthe^tD/2 
^ AfcP nf(g-ii}« rioshut ' 

rtAftOitflg)# failover Ian unitscc&mtary 
vSifcortflBJ# failover Ian interface FAILQver n 
^L fconttg}^ failover link FAILOVER Gi E abhEtfc? 

SUnfllf)# fettorer interface *P FAIuRer 

^2 i 6 B- 9 « tK 19 2-16^99,1 2 SS . 2SS 2s . f| 

fei'over S W --^ 

Notice .hat the only configuration difference we have with the P 

wy woHl.Alsh.3lhhoughv^ are configuring th e sec 0 „dar yll , iuh ™7“ ll,1,he ' it “' , ‘' l!tf r 

:r i nterfa ce must he t he same a s that of th e Pri m ary y n iL & a d rfr5£ ^^euraBou f w 




STEP 6: Reboot the Second ary fstanrih v1 r ; -. n „ 


use the write memoir command to save the configuration ofthe Secoadaiy ^ 
, 4 m Failover Link between the two Firewall ... .. 


c ' JULJUline5ec ondaiy Firewall Connects 

uN Failover Link between the two F,rewall appliances and use the reload c 0mman d to reboot „ 
secondary security appliance. 


Afar the Secondary unit boots op, the Primary firewall rcnfiguradun is replicated to the Secondary 
firewall The following messages will appear on the Primary firewall; 


Beginning Configuration Replication: Sending to Mate <-This denotes the start of the 

synchronization 

Enel Configuration Replication to Mate <-This denotes the completion of synchronization 

You need to enter the write memory command on the active firewall unit to save all the replicated 
configuration on both the active and standby units. 


From now or, any additional configuration must be done only on the Primary Firewall unit, since it 
will be automatically replicated to the Secondary unit. The write memory command on the 
Primary firewall will save the configuration on both units. 

Finally, use the show failover command to verify that the failover mechanism works as expected. 
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Chapter 9 Advanced Features of Device Con figuration 


9.1 Configuring Clock and NTP Support 


The Cisco ASA appliance M** doc* scMIors in >»V via a M WT "" ,f '« 

£vcn if the device Is turned off, the dock Is retained In memory, CftAtigurf ng time 

„ the appliance is important for lagging purpose! ijvlog m«**W » «*" » 
according to the device dock time setting. If yon want the *y*H muum •» 3 Ita^hflsp 

value, you must first con figure the dock (using dock set command) m<\ then vntAAv um^Um p* 
using logging ifmestamp command (more on syslog configuration Id later rations), Ifovfflga 


titne-stamp value nn log message is important for event tracing and fortn Jc purpose* V/htn % 
secu r j ty lucid cot ore urs, 


Another important reason for setting the correct time on the ASA firewall Is when you usepffj 
(Public Key infrastructure) with digital certificates for authentication of IPSI3C- or j >1- VPfI peer?. 
The ASA firewall uses the local appliance clock to wake sure that a Digital Certificate hu# not 
expired. When using PK3 digital certificates, set the firewall dock to If I f, time xnne, 


9-1.1 Configure Clock Settings; 

To configure the clock settings of the ASA appliance, use the dock set command as shown below: 
clscoasa# dock set hh:mmiss [day month f month day}year 


Example: 

cisco a sa ff clock set 10:30:00 Apr 10 2013 

To verify the correct clock on the appliance, use the show clock command. 


160 







To wiif 



clscoa»(a>nf1g|# clock /zone nami!j lofrsct hcu „ from UTC) 

^oosoCconfig)* clock S ,mo, M . t f w , „ omey ^ [wtek weMoy raM( „ 


weekday month bhrmmj fuff sat[ 


ciscoasaftonfig)# duck tkmezane MST -7 

dsLoasatccniigJk cloc3< summer-time MST recurring 1 Sunday April 2 : DO Us t Sunday 
October 2:00 


9d3 Configure Network Time Protocol (NTP): 


if there is an NT l 3 server in the network that provides accurate clock settings, then you can 
configure the firewall to synchronize its time with the NTJ ] server Eoth an authenticated and non- 
authenticated NTP is supported; 

1 

ViiViVinhi'ntNail'd t^Tt 1 ; 

clswasa(config)fl ntp server [ip address of NTP} source [interface name} 



patamnle ; 

eiscoasa[conflg)Ri ntp server 10X23^5 source Inside 


Authenticated N TP: 
dscoaFJi[config)|l ntp authenticate 

flscoasa [con fig Jilt ntp authentication key [key Wj xndS [ntp key} 
clsceasjifco^pi]^ ntp trusted-key [key ID} 


L 


f Stoasa(conri e }fl ntp server ftp addressofNTPj key [key ID} source fintf name} 















0 u < h'"" 0 " „ 3i mdS 234 

C | S CMM<»»"*J' -^ 3 * „ J2 source l"= !,lc 

a SC oa!!at=«r. n BJ“ "' ,tf.J.2 3 . . 

tlgcoasufconfifi)* ntp S ‘ 

■ n2 Loggi^ (SySl ° g) 

9,2 COllflg urin fcr various ewnts such as s^ciiri^ 

. ^ aerates spW meS what type oHo^ng Information 
The Cisco ASA securiV P L You on c » n f,0lJ f . re w he rc the security 

—- 

■ -tj 

c^un^hereth^^ «*" l< * al or remo “' 

Cisco ASA can send log 

1, Logging to SSH or Telnet session: d l0 the aSA via Telnet or SSH r use the 

If you want to monitor log messages while you are 

“logging monitor pegging ]evc| l umn ' 1 ' ■'terminal monitor" command. 

Then «nabl* logging to the current terminal 

2. Logging to Internal Buffer. 

,hesec “ ri,yapp c “" y 8 
messages. Use .he -logging buffered Hogging level]" command to instruct the ASA to store tag 
messages to its internal buffet. Use the 'logging buffer-size [bytes]" to set the interna] log buffet 
size in bytes The default is 4KB, The following command sets the log buffer to 16KB: logging 
buffer-stee 16384,10 display the internal log buffer messages use the "show logging" command, 
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3. Logging lo Console: 

**"«.! " mon ' tor .yUoj wMe you are c<mnEctNl , o (ft( ina the ranso|e ^ 

** ""»»*• ranSO,e >"-«■ ™™.d.Y, u should heverycarsful with**, loggl.* 

option Mice lh E console Is as low- 5pte d oonhEctioo (96C0 t pi ) andvitt degrade system 

performance i f the A5A gen era t* 5 a lot of [ 0 g messages. 

4 . Logging lo E-mail Address: 

LcTi; t°gg* n & rnj ^ [logging ]evel| command sends sysiogmessages to an email address. 

ra ample: 

A£A(tonfigl# logging enable 
ASAftonftgl# logging mail critical 

ASA [con fig) t logging from-address eiscosecEirityapplbnce@exainple.com 
ASA(t&nfig)F* logging recipient-address 3dmin@e3f3mple.co.rri 

5. Loggi ng to A da ptive Security D evice Ma nager (A5D M): 

Hit ASDM is the Graphical User Interface application to manage an ASA firewall. Too can configure 
the appliance to send syslog messages to the ASDM GUI using “logging asdm [logging level]'. 


t 


&. Logging to External Sysbg Server: 

This is a great logging option since you can store and archivesyslog messages for a longer period 
compared with the other options. Use the "logging host [Interface name] [syslog IP]“ to send log 
messages to an external syslog host. Use also the “logging trap flogging level] ri command to 
specify the logging level. 

ASAIronfig)# logging enable 
ASA[«mfig)fl logging host inside 192.168.1.30 




s 


i 


A5jt(coh0g)fl logging trap errors 


■'• L*gj^ng to SNMP Network Management System: 


If >'DU have an NMS system in your network which collects SNMP alerts, you can send syslim 
messages as traps to the SNMF NM S system. Use the"loggi ng history [logging level |" cm m ^ nd 
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ASA(connfi)# lugging enable 

l .- i cw\i> in 11 100 trap community coimnunfcynaine 
ASA(config) samp'server host inssdt 

ASA {con fig) S stimp*serveT enable traps sysl eg 

ASAfconfig]# logging history warnings. 


Configuring 1-oeeinE Levels. . 

- r. * . rn m 71 foe each command described above for the 

There are e configurable Logging Levels (0 to 7 )■ Mr 

M destination option. you should specify alsoa losing level after each command, Each 
logging level defines how much and what type of M -II be logged by the applies lb 

- eight Logging Level s are: 

0 - Emergencies: Generate System unusable messages. 

1 - Alerts: Take immediate action messages, 

2- Critical: Generate Critical condition messages. 

3 - Errors: Generate Error messages. 

4-Warnings: Generate Warning messages. 

5 - Notifications: Generate normal but significant condition messages. 

6 - Informational: Generate information messages 

7 - Debugging: Generate debug messages and log FTP and WWW commands. 


For each Logg ing Level that you configure, all lower number levels are enabled as well For e^pl 
if you enable Logging Level 4 (Warnings), then Logging Levels 0,1.2,3 are also enabled. 

Examplei 

ASA(eonfig]tt logging enable 

ASA(config)# logging timestamp <r attach timestamp to log messages 
ASA(config)d logging buffer-size 8096 * set log buffer to 8KB 
ASA(tonfig)# logging buffered warnings 4- send syslog warning messages to og 
ASA(config)# logging asdm errors <- send syslog error messages to ATOM 
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. You can 


Ul'Ji 

S**'"”” " ,m - 7; H 7 ,W ' hyM "« «—*.*- Hood „ )0 security affiance logs. - 

loggl"* l*y» | «»|t_l«l|- c.„,,, 8 

L*, HI 710005 (NctlllOS tralfk). To k ‘" C ASA ” n<MH,ed ^ “ SyS '° 8 

" ' ° ll, l lut uf this syslog message configure the 

fo ||ovvl»»H : 

/ ,SA(r"" n K>" 1,0 ,MC **ago 710005 

pl^laylQjt Sy>l»i: Settings 

TodlsP^V ,hccurrcnt *>' slo R «‘Hngs (LogKinB Lev-u i , , 

,, H ■-cv'cls, log destinations etcl and to also monitor the 

^ HU,fCr mCSMBCS ‘ "* tht ‘ ‘ s, ‘°" logging' command. 


Configuring Device Access Authentication Using 

Local Username/Password 


** SCC,i °" WC W ‘" Cxaminc h0W to the security appHance to require authentication 

for administrator users when they try to connect to the ASA firewall for management You can 

configure usernames and passwords locally on the ASA or have an external AAA server (RADIUS or 
TACACS) which will hold the username/passwords database. In this section we will discuss only 
U,cal authentication. The next Chapter will describe Authentication using an external AAA server. 

Authentication can be configured for all management access connections, i.e. Telnet, SSH, Serial, 
and II n P. Also, the Enable option can be used to request a username and password before 
accessing Privileged Mode for Serial, Telnet, and SSII connections. 

Configure Authentication using the Local username database: 

* Slept: Firs! Configure a Local tisername/password pair: 

ASA(conflg) U username (name of user] password /user password] 
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IKl«|"P,ttUl*aX£ 


sur£ jR4S4fl°» a,J - 


l**-****** 0 *” 


able] console LOCAL 


AMlitinfliill 

I 'ample; . ..ucot23 

ASA<e,mng>. —- — 'T'TJL* 

ASAJconltg)# MUI nulliontU'iiHo" " • , oCA L 

ASA(conllg)» anaauthentication l '" 1 C ° , 0C AL 
ASA(it>nfl|{)* nan authentication "h conso CAL 

ASA(cnnllg)# mm inilhcntlcnllon cnabl* con 

tds ibovc refer to the console cable that we 

NOTH: The “console- keyword In the commands abov - 

use (or serial access. 

, „ ted continually by default until that user 

• serial Parameter: Causes the user to be P r011 p ^ specified in the configuration. You 
successfully logs In with the correct usi rnuine/p Jhe scria | opt ion is for users 

can limit the maximum failed attempts as we wi 

c«n»Mlw with Ike aHaLtMkijWs „ b default until that user 

. telnet Parameter:Causesthe user to promp* » Thc 

successfully Iocs In. You can limit the maximum failed attemp 

sumssnmy mg _ connecting with telnet before the 

telnet option requests a username/passwo 

(list command-line prompt. 

. «h Parameter Allows three tries before stopping access attempts. The ssl. option 

requests a username and password for users connecting with igh before the first command- 

line prompt. 

. enable Parameter: Allows three tries before stopping access attempts. The enable option 
requests a username and password before accessing privileged mode for Serial. Telnet, and 
SSII connections. 


Conflenro Maximum Failed Attempts: 

For Serial and Telnet connections, the ASA firewall will continually ask the user for 
username/password until the correct authentication is entered. This is a security problem since an 
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attacker may use Brute Force attack to gain access to the appliance. It is strongly suggested to 
configure a limit on the maximum failed attempts, as shown below: 

ASA(config)# aaa local authentication attempts max-fail [fail-attempts number / 

Example: 

ASA(config)# aaa local authentication attempts max-fail S 


Also: 

Use the command "show aaa local user" to see if a specific user is locked out. 
Use the command “clear aaa local user lockout all" to clear the lockout status. 


Configure HTTPs Access for GUI Management with ASDM 

To use ASDM. you need to enable the HTTPS server, and allow HTTPS connexions to Hie ASA. 
HTTPs access is enabled as par, of the bemy default configuration. This section describes bow to 

"wnually configure ASDM access. 

To configure HTTPs access for ASDM, perform the following commands. 

*c . / 17 bin <- Location of ASDM Image on the ASA 

^(conilg)# asdm Image diskO:/asdm- ^ ^ ^devk. 

As A(config)# http server enable*-1'• ,,:lh 1 1 . Ike device which IP addresses are 

^(config)* http 10.IO.IO.O 255.255.255.0 inside +*> 

all °Wed to connect with IITI*I > (ASDM) -figure nscr/pas* 

^^onfigjiiusernamc admin password adn 
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9.4 


Configuring a Master Passphrase 


rteo ASA d* m» W »»■ ° f pa “ word or 

There are several configuration features on 
key that you need to enter. Some examples incl 

,pc K c VPN or for Remote Access). 

. VPN pre-shared keys (either for site-to-s-.e IPS * ^ ^ 

. AAA server secret key when communicating' 

• Routing Protocols keys (for OSPF, EIGRP). 

• Secret key for failover communication. 

• Password to communicate with a Log Server. 

• VPN Load Balancing key 

• Etc 

All the above might be hidden when you view the running configuration (by executing show run ) 
however they are NOT encrypted inside the configuration file. For example, if you copy 
configuration to an external TFTP Server, all the above passwords and secret-keys will be shown as 
clear text in the configuration file. 

Moreover, when you execute the command "more system:running-config you will also be able to 
view the running configuration with all passwords as plain text 


If you want to store all the above passwords in encrypted format in the configuration file, you can 
use the "Master Passphrase" feature. The master passphrase provides a key that is used to 
universally encrypt or mask all passwords, without changing their functionality. This feature is 
available from ASA version 8 . 3 ( 1 ) and above. 


Configuration of Master Passphrase 


• Step 1: Create the Master Passphrase. This must be between 8-128 characters. 

Do not use backspace or double quote. 

ASA(config)# key config-key password-encryption 
New key: verystrongkey 
Confirm key: verystrongkey 
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The above creates the Master Pass phrase. West we need to enable AES password encryption for all 

passwords' 


. Sten2: Enable Password Enc ryption and save the con figuration 

i 

ASA (config}# password encryption aes 
ASA(conng)# write mem 

> 

t 

NOTESl 

* !f you want to remove the master passphrase use "no key con fig-key password- 
encryption (current passphniser 

* If you have lost the master passphrase^ou must erase the configuration and reboot the 
ASA: "write erase and then "reload*. 

















a,10 AMthcnOwOo 1 ’ Authorization Accounting 

,. * A1 i S a suit of control mechanisms that are usetl by 

a*-**- ; h ; ^ Aulto *.«o» * <■»««. _» 

nt,wo * d “ vl “ t01 “““ iSi Authoruatiori is used to control vrhsttheusc^n 

ro «ti(inlsi«andlsusciHoio" KL< _ h ** euset dain the network (audit-friill. 

to „ ttw (ll , wA cocoon, te w* AAA Serve, 

li, HdsOwidcr W* will focus mostly on Authent.cst.oo us.ng 


lUthuinvvIousChopter we've descril>ed Authentication using the Local User database of the ASA. In 
dUs Chapter we will describe Authentication using an Externa. AAA Serve, such as the Cisco Access 
Cunt 1 .mlSetvw (ACS), That is. we will see how to ensure U»«A firewal. to Authenticate use* 

utilizing oti ratenw! AAA server. 


ft>r the Cisco ASA appliance we have three types of Authenti cation: 

1. Authentication of users when accessing the security appliance itself {Device Access 

Authentication]. 

2 . Authentication of users when accessing 1 1TTV, HTTPs, Tel net and FTP servi ces through tJi i; 
security appliance. Tlii-s is called also cut-throu gh proxy. 

3 . Autiient Lcanon of users from remote access th rough an [PSEC or SSL VPN tunnd (Tu rmd 
Access Authentication). 


10.1 Device Access Authentication using External 
AAA Server 

Next wl i will describe haw to control Administrative access to the appliance using an external AAA 
Server. As mentioned above, an example of AAA Server is the Cisco Secure ACS Server (Access 
Control Server) which supports both RADIUS and TAGACS* Authentication Protocols. "AAA 
servers provide a centralized solution for offering authentication services to all of your netvvorl 1 
devices (ASA Firewalls. Routers. Switche;; etc), Basically the biggest advantage of a central i r.t d AAA 
server is that you can keep a central database of usernamc/passivords so that you igEtipaw 10 
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flin r, BU ™ UO.I Uscrnaracs/Passwonb on KAt^l of ym,r oetwork device, thw 
administration effort and enhancing overall authentication security. 


minimizing 


Serial 

^Console” 



ASA 

Admin 


Gfl/1 

Inajda 


AAA Server 
{RADIUS orTACACS} 


SSH 

TELNET 


ACCESS ACCEPT 
Or 

ACCESS DENY 


In the diagram above, the ASA Arlmtn workstation can access the firewall using Serial Console cable. 
av through the network using SSH, TELNET, HTTP. Before allowing access, the ASA will prompt the 
admin user for his/her credentials, The tisername/password credentials supplied by the Admin will 
he sent by the ASA to the AAA Server as an Authentication request. If the credentials are valid, the 
AAA server will reply with "ACCESS ACCEPT" so that the ASA wifi allow access to the Admin user, 
NOTE: 

Before the ASA firewall Can au thenticate a TELNET, SSH. or HTTP access session, you must first 
configure the security appliance to allow those management protocols using the telnet, ssh, and 
http commands, 

fAiiinnh v 

ASA(cotin R )tf ssh 10X1.0 2S5,SS5,2SS-t) dma allows** from dmz subnet 10.1.1.0 
ASAfconflE)# telnet 10.2.2.0 25S.255.ZS5.0inside fallow lelnei Trom Insidesubnet 10.2.2,0 
ASA(cqnfig)# http server enable 

A$%onng)N http 10,2,2.S0 2 SS, 2 SS. 2 SS. 25 S Inside fallow http from inside host 10.2.2.SO 


























. . „ all security Icvet interred of the ASA (Ifiikle, mfouk, d i(IB H . 

SSH access can be used on an secum/ J. J i-| r ^ 

a£ress is ONLY allowed on the inside Interfaces. 

10.1.1 Configure Authentication using an csl L -t,i it | AA/i V(i) ^ 


I: 


• Sfcp It Firfrt specify a AA A spr-ver pronto 

ASAtanfigJ* aaa-server/server-MH/ P ™'« o1 


* StPTi2; Tlien designate an ;ju HierTticnlin njjrrjTr, 

You need to define the 3P address of the AAA server and a prc-nJuarud Suilfrily fay wFikl) mg p ^ 
be configured also on the AAA server. 

AS A [eon fig] # aaa -server /server- tagj [ASA interface tiotnej host fit* ttddtvjts of AAA f 
ASA[config-aaa-server'host)W hoy fpreshared Secret key} 


* Step3: Then Configure the ASA pruWfiM to n r| nt’M ;iiiUir«nlfntlhift L rnn \ |jy^^ 
server 

ASA(config)# aaa authentication: fsenalfteinetfsshfhttpfeuabhf console fserver-tufff fUM.flt,} 

F.^omnle: 

ASA (con fig]# username admin password rfscol23 4- configure LOCAL ifvi-rnninp/paiiwurrl 
ASA(config)*f aaa-server ACSSU V protocol tacacs+ 4- designate' tarot v+us aulli. pmlui'ol 
ASA(eonfig}W aaa-serve r A CSSRV (inside) host 10.14,1 
ASA (con fig-aaa-se rver h ost) # key sbaredsecret 
ASA (co nfig-aaa-server h ost)# ex [t 

ASA(config)^ aaa authentication serial console ACSSflV LOCAL <- specify LOCAL ill hiitfeup 

ASAfconfigjs aaa authentication ssh console ACSSItV LOCAL 

ASA(config)# aaa authentication enable console ACS5RV LOCAL 

ASAfconfig)#ssh 10.u,o 255455.25S.0 inside 4* enable ssh access on In*filcrIntcrLM* 

NOTE: 

ft is strongly recommended <o specif LOCAL authentication also In addition to the AAA Mfi« 
Th,s means thal if the AAA server is not available for any reason, the ASA firewall will use lh> 
LOCAL usemarne/password as a backup authentication. 
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10 2 Cut-Through Proxy Authentication foi 

TELNET,FTP,HTTP(s) 

. ugh prosy feature of the security appliance allows the ASA to transparently verify the 
T,!! .'fusers when accessing Telnet, FTP, HTTP and HTTPs services. The firewall first intercepts 
'l Tri:iel/FTP/HTTP(s) session and authenticates the user identity against a AAA server. If the 
tfoenfication is successful, the user session is redirected to the destination server. If the 
j ^nation server has itt awn authentication, you must enter another username .and passw ord. I 
w/ill not get into many detaits about the cut-through proxy feature because i have not seen it used 
very often in real networks, however it might be helpful in some situations (especially for HT1P 
authentication for example). 



tf3r 


FTP 
1C,0.0.2 


OMZ 

rr<n 



<SW1 


50.1*1 + 1 (Web) 
50.1.1 2 (FTP) 


QjiEiiSlS ASA 5 ^1? fnside 


Authentication 

Request 



AAA Server 
(RADIUS or TACACS) 
192.168.0.10 

Ut 3 scenlr '° for mt-through proxy. From figure above, the Web Server(10 0 01) in DMZ 

‘ StJ,iC " at) “ 50111 ™ the 0U,iid£ - Slmi,ari *«- ™ server (10,0.0.2) ls mapBed 
■ 1.2 on the outside. When a user on the internet tries to a cress either the Web or the rro 
Krvrr.theASA will generate an authentication prompt for die user. Alter the user enter , 

‘ «credentials, the ASA will query the AAA server for Authentication. If authentication i • 

1 X . -S 


































successful tlie user session 
the destination server. 


wJEl be "cut-through" the security appliance and get redirected to 


When using cut through proxy, make sure that the inbound ACL allows the connection first. If 
the inbound ACL drops the connection Iron outside, then cut-through proxy authentication will 
not take place, 

10,2.1 Configure cut-through proxy Authentication using an 
external AAA Server: 

* Step!; First specify a AAA server group: 

A5A[config)tf aaa-server [server-tag} protocol [radiusftacac$+} 

* Step2; Then designate! an authentication server. 

You need to define the IP address of the AAA server and a pro-shared security key which must be 
configured also on the AAA server, 

ASA [con fig) # aa a server fservertag} [ASA interface name} host [IP address of AAA} 

ASAfCDnfig.*aaa -server- host)# key [presharedsecret key} 

* Con tiaur e an ACL that identifies the source a nd destination JP / 

addresses o f traffic that you want tn authenticate. / 

* 5tep4: Then en able cut ^through proxy authentication by specifying which I 

traffic Row tp authenticate. I * 

ASA (con fig)# aaa authentication match [ACL name} [interface name*} [AAA server-tog! 

[interface name] is where the connection originates 

Lets st.e the following example which is based on the network diagram shown above. 

















ob ^ ct networkwehjenw.static 

^(Cnflg'network-Objert)# host 10.0,0.1 «-R ea l | P ^rWch Server 
A ^[ponfiB-netvvork'Ohject)J>; nat (DMl „ outside) static 50.111 ^ Mapped * ,P 


aS A [co p fi&J * 0 b l ecl netw * rk ftpjserverjstatlc 
A 5 A£c° fl ^G -fte ^ Drk ' ob ^ ct ^ kosllDihD.Z <- Real IE 5 of FTP Server 
^j^icoiiitg-petYVork-^bJei-t)# nat (DMZj outside)static50.1.1.2 <r Mapped IS 1 

AS A(config)^3ccess-Iist OUTSIDE IN extended permit tep any host 10,0.01 eq 80 4 allow 

J ra f|icto reach the web server from outside 

AS A(ccnfi6)# access-list 0UTS1DE-1N extended permit tep any host 10.0,0.2 eq 21 4- allow 

iraffic to reach the FTP server from outside 

ASACconfig)# access-groyp 0LFTSIDE-1N in interface outside 

ASA[CQPfig)^ aaa*server ACSSRV protocol radius <- designate radius as auth. protocol 
ASAEconFig]# aaa -server ACSSRV (inside) host 192 . 168 . 0,10 
A£A(config'aaa-server-host)# key sharedsecret 
ASA(cotifig-aaa -server-host)if exit 


ASA[config)# access-list 101 permit tep any host 10,0,0,1 eq www 
ASA (con fig)# access-list 101 permit tep any host 10.0.0.2 eq ftp 

ASA (con fig}# aaa authentication match 101 outside ACSSRV enable cut-through proxy for 
traffic originating from "outside" and matching ACL 101. Use ACSSRV server for 
authentication. 
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Chapter 11 Identity Firewall Configuration 

Frum ASA vcroi*. MPI )«.•- «-“* " "* US6 7 ~ C ° n, ™“ 

Identity Firewall*. With Identity Firewall an ASA device provides more granular access cont ro| 

based on user's identity instead of regular souree/desttnat,on IP addresses and Port numbers ^ 

can configure access roles and security policies based on user names and usen group names rathe, 

than through 1P addresses. 

The ASA applies the security policies based on an association of II ] addresses to Windows Active 
Directory login information. Thus, an Active Directory agent is required to extract the mapping of 
logged-in users with their IP addresses from the Active Directory server. 


To implement an Identity Firewall mechanism you need to have 3 components^ 

1, An ASA Firewall with version 8.4(2) and later, 

2, A Microsoft Active Directory Server, Supported versions include Windows Server 2001, 
Windows Server 2008,, and Windows Server 2008 R2 servers, 

3, An Active Directory Agent software This agent can be installed either on a separate 
Windows Server (Windows 2003, Windows 2008 or Windows 2008 fi 2} or on the same 
server where the Active Directory resides. 












Client 

User“John” 



above, !et ' isee a simplistic explanation of how the Identity Firewall works: 

. The Active Pi rectory Agent (AD-agent) communicates with the Active Director Server and 
retrieves a mapping oflogged-in users with their associated IP address. This is done by 

monitoring the Active Directory server security eventing file™ WM1 for user login a „d 
logoff events. 

• n. ASA firewall sends an LDAP leery for the Active Directory groups confignred on the AD 

Server, The ASA consolidates local and Active Directory groups and applies access rules and 
secyrity pottcles based on user identity, 

* temt that user "John" tries to access a server in the Financial Department through the 
, ^ r ™.d | which is configured with Identity Firewall access control. This means that the 

> 'sl™ ACCeSS COfttr&l Li5t Which s P ecif >es what user "John" can access on the network, 
lf(h SGJldsa request to the AD-agent asking about the IP address of user "John" 
addr* the ^ DorriaEn - flic AD-agent will send to the ASA the current IP 

tUitr John is assigned, ff the ACL on ASA allows user John to access the server 

^ D apartment, the ASA will allow the ]p address of John's computer [which 
r ' CVed fr ° m AD ' a S&nt) to access the serve]’. 


.1* 
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. The , b<WB behavior .he* th« — of u S fo g .he »«.«If ^ of John', co. PW(!r , 
we used the actual mmmmtM’ »W*«» coo.ro! police* fcrttM**, 

User, 


11.1 Prerequisites For Identity Firewall 


Before coofieoriog the ASA firewall to work 33 Mctity Firewall, you need fire, to install and S e,„ p 
the other 2 components, the AD Agent and the Active Directory. 

11.1.1 AD Agent Configuration 

The AD Agent must be installed on a Windows server that is accessible to the ASA. Additionally, you 
must configure the AD Agent to obtain information from the Active Directory servers and also 
configure the AD Agent to communicate with the ASA. 

For the steps to install and configure the AD Agent, see the Installvtifui nnrt Setup Guide for ihe 
Act i vc Directory Agent f fro m Cisco website). Before configuring the AP Agent in the A$A, obtain 
the secret key value that the AD Agent and the ASA use to communicate. This value must match on 
both the AD Agent and the ASA- 

Add the ASA as a client on the AD Agent 

Here is how to configure a shared secret key on the AD Agent: 

artaefg client create 'name <dient-ntckntime> -ip <IP-aticlress>{/<prepxAcngth-forAP-range>J^ 
secret <itAf)lUS-sho re dsecret> 

li x mil pic: (The following comm and is run on the AD Agent machine) 
cd C:\1BF\CU 

□ daefg client create -name ASAFW -ip 192A681A0 -secret radiussharefcecret 
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Add a Domain Controller on the AD Appiu 

Create all the DCs from which the AD Agent will receive logon-logoff events. 

Gather the following information 
DC - Name 

DC - Host name or FQDN 

DC - user (must be a member of domain admin group) 

Password of the above user-1 D 


adacfg dc create -name <DC-nickname> -host <DC-Hostname or FQDN> -domain <full-AD- 
Domain> -user <admin-user> -password <admin-poss> 


Pvamr'le: fThe following command is run on the AD Agent machine) 
cd C:\IBF\CL1 

adacfg dc create -name MAIN DC -host DC1 -domain DCl.company.com -user Administrator 
-password adminpassl23 

11.1.2 Microsoft Active Directory Configuration 


u . -><rrall«d on a Windows server and accessible by the ASA. 

Microsoft Active Directory’ must be installed on a wu.u 

c , ?oofl and 2008 R2 servers. 

Supported versions include Windows 2003 , 


configuring the Active 


Directory server on the ASA. create a user account in Active Directory 


f °r the ASA. 


formation to the Active Directory server by using 

^tionaBy. the ASA can send encrypted log n ni rectory server if you want to use SSL 

^ enabled over LDAP. SSL must be enabled o steps to enable SSL for Active 

U>AP. s„ ^ doc^nadon (0, Mkn-» Acdv. D.r.I.O' 

Dlr *ct 0 ry 
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11,2 Configuration 

The exam pfe configuration that we wli! d escri be > 


ion of Identity Firewall on ASA 

beh^o^hefottow^di^m- 


Client 



• Step 1 r Configure Communication of A SA with the Active Directory Domain 


As we have described above, the ASA communicates with AD Server [using LDAP) to download User 
Groups and to accept user identities From Specific domains when receiving IP-user mapping from 
the AD Agent. Therefore we must tell ASA How to communicate with the AD Domain Server. 


Lx a h ple- 

ASA(config)# aaa-server AD5RV protocol Ida p <-nse LDAP to communicate wjLh AD 
AS A[eonfig-aia-se rver-gro op) # exit 

ASA(ronfTg)# aaa -server A DSRV (inside) host 192.lAft.t40 I he AD Server is accessible 
from the inside interface and has IP address 192.16S.1.10 

me 
























ASA(conflg-aaa-scrver-host)# Idap-base-dn DC=MYDOMAIN,DC=com b- Specifies the Base 
DN location in the LDAP hierarchy to start searching. 


ASA(conng-aaa-server-host)ff Idap-acop. S „b,„, <- Saard, all levels beneaU, ,b. Base DN 
ASA{config-aaa-server-hosl)a Idap logln-password asopass «- Speedy Ibe login password 
for the account created on AD for the ASA. 


ASA(config-aaa-server-host)# Idap-login-dn MYDOMAIN\ASAuser Specify the login 
username for the account created on AD for the ASA. 

ASA(config-aaa-server-host)# server-type microsoft This is a Microsoft AD Server 
ASA(config-aaa-server-host)# ldap-group-base-dn OU=Sample 
Croups,DC=MYDOMAIN,DC=com <- OPTIONAL. This is the location of the AD Groups 
ASA(config-aaa-server-host)# Idap-over-ssl enable <- Allows the ASA to access the Active 
Directory domain controller over SSL (This is Optional) 

ASA(conflg-aaa-server-host)# server-port 636 <r If Idap-over-ssl is not enabled, the default 

server-port is 389; if Idap-over-ssl is enabled, the default servti port is 6.to. 

• v. ww^owh.timeout 300 <r Amount of time before LDAP 

ASA(config-aaa-server-host)# group-searc 


queries time out (seconds). 

ASA(config-aaa-server-host)# exit 


•o-atinn of ASA ,t,ith the AP Agent 

Step 2: Con n r ir * Co™" 11111 ' 0 ^-- K 


nitors the Active Directory server security event log 
Periodically or on-demand, the AD Agent mom ^ maintains a cache of user ID and IP 

r,| e via WMI for user login and logoff events. I he 
a< ldress mappings and notifies the ASA of chang 


^*'c ASA communicates with the AD Age 
l ^ e ASA device accordingly- 


using the 


RADIUS protocol, therefore we must configure 
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ASAfconfig aaa-servcr-hosl)* keysecretrudiuskef 4- Specifies Hit' pre-sharml keyhe tW|!4|1 


ASA and the AD Agent 

AS A (con fig -3 aa-server-bost)# user-identity ad-agent aaa-servcr ADAGENT *■ Define IheAAl 
Server Group for the AD Agent 

• Stop 3: Configure Identity Firewall Options 


In this step we will enable the Identity firewall feature (it is disabled by default) and aka configure 


some Identity Firewall options. 

ASA(config)# user-identity enable <- finable the Identity firewall 

ASA(config)# user-id entity domain MYDOMAIN aaa-server A DSRV4- Associate the Domain 
name with the LDAP AAA server group we have configured Ip Step 1, 

ASA(conftg)# user-Id entity default-domain MVDOMAIN 4- Specify the default Domain to be 
used for all users in the Identity Firewall (except VPW users). 

ASA(conflg)# user-identity logout-probe netbios local-system probe-time minutes 10 retry- 
interval seconds 10 retry-count 2 user-not-nceded f Enables NetBIOS probing. Enabling this 

option configures how often the ASA probes the user client IP address to determine whether 
the client is still active. 



example, we can now add user Identity arguments 

traffic to certain users in the network. 
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The following arc some examples where we can use Identity Based policy control. 

• Access Rules : With identity firewall, you can now control access based on user names. 

• Cloud Web Security : You can control which users are sent to the Cloud Web Security proxy 
server. 

• VPN Filter : You can configure the ASA to enforce identity-based access rules on VPN traffic 


Example!: 

Based on the network diagram above, we will allow access of Domain User "John" to the Financial 
Department Server (192.168.20.20). 


ASA(conflg)« access-list INACL extended permit Ip user MYDOMAIN\John any host 
192.168.20.20 <- User 'John* from any source IP can access server 192 . 168 . 20.20 
ASA(config).. access-group INACL In Inter fact insidi 


From the ACL above, the argument “user MYI>OMAIN\Joh y 

’john" coming from “any” source IP ad dicss. 


“ will match traffic from user 


. .. prollI , 0 f domain users to access the server. The ACL 
Assume now that we want to allow a w o l 

''dll be configured as following: 


ASA (conflg)M access-list INACL 


. lllcrnll , ip user-group MYDOMA.NWADM.NS any 

ZL extender | a ,„ access the server at 


"ADMINS' Iroin any source 


host 192.168.20.20 User Croup 

”2-168.20.20 i-rface Inside 

As A(conng)» access-group INACL In ” 






Chapter 12 Routing Protocol Suppoi t 

Titstly you need to know thalthe ASA appliance Is not a full-funrtloning router. However, jtsti|| ^ 

routine mble which is usedto *.«t Che best P tfh « reach a certt.n desH^t.on n«. Aftera] , 

.. fireW1 |i ra | cs , it needs to he routed by the firewall to its 
If a packet successfully posses oil fu ewnll i uies, 

destination- 


The Cisco ASA Firewall appliance supports both Static and Dynamic Routing. Three dynamic 
routins protocols are supported, namely RIP. OSPP, and EIGRP. It is highly recommended to prefer 
static routing configuration on the ASA firewall, instead of dynamic rooting. This is bccaosethe 
usage ol dynamic routing protocols might expose your internal network structure to the outside 
world, 11 you are not careful with dynamic routing configuration, it is possthle to start advertising 
your internal network subnets to external entrusted networks, thus revealing your hidden 
networks to the outside world- 

However, there are situations where dynamic routing configuration is necessary. Such a case would 
lie a large network in which the ASA firewall is located within the internal network campus or data 
center. In such a case, you will benefit from using a dynamic routing protocol on the ASA since you 
will nut have to configure tons of static routes, and also you will not run into the risk of revealing 
any hidden subnets to unmisted networks (since the ASA is located deep inside the campus 
network], 

The following are some routing protocol best practices for the ASA: 

• For small networks, use only static routes. Use a default static route pointing to the gateway 
connected to the outside interface (usually Internet), and also use static routes for internal 
networks which are more than one hop away (i.e not directly connected). 

* Any network that is directly connected on an ASA interfece DOES N OT need any static toW 
configuration since the ASA firewall already knows how to reach this network. 

■ h die ASA is connected on the perimeter of the network (he border between trusted and 
untrusted networks), then configure a default route towards the outside untrusted 
and iht. n cotifigui e specific static routes towards the internal networks. 













4 If the ASA is located deep inside a hrsc netwnrlf 

t,L network lampun with many internal network 

routes, then configure a dynamic routing protocol, 

12.1 Static Routing 

Xliereare throe types of static routes: 
t Directly Connected Route 
# Normal Static Route 
t Default Route 

nirectlv Connected Route 

The Directly Connected Route is automatically created Jn the ASA routing table when you configure 
am IP address on an appliance interface. For example, if you configure the IP address 

169-X.1.0/2on the inside interface of ASA, then a Directly Connected Route of 192,360.10 
255-255.255-0 will he automatically created. 


formal Sialic Route and Default Route 

For configuring a Normal Static Route and Default Static Route refer to the diagram below. 

Default Route Static Routs 



Outeida in ^° 


GrjfO 


100 , 14,1 


GtVl 




I92.1es..2-Ci24 

* route configuration on the ASA Is like telling the appliance the following: "To send a packet 

15 Eti e specified network, give It to this router gateway*. 
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Usetller011te command .0 ante, either, static nr default route. Thee^tnand form* is: 

" w(CO nn g )« route ^^re.e am e;/^ a tl 0 o. n etw 0 ry [nM] [ga^cy! 

, Thi „ i5 rhe ASA interface from which the packet will e«it 
ftnterface^umj. , T[ - j the destination network/ mask we want to reach 

SSSSSSSSStm 

U f S see an example configuration below {referto diagram above): 

IMfconfigl* route outside O.O.O.O (1.0.0 0 100.1.1.1 <- Default Route 

ASA configj# route inside 192.168.2.0 2SS.2S5.2SS.0 192.168.1.1 <- Static Route. To 

network 192.163.2,0 send the packets to 192.168.1.1 


reach 


Fnr tlie default route (usually towards the Internet), you set both the destinatio^network arid 
netmesk to O.O.O.O. All traffic for which the ASA has no route in its routing table will be sent to 
100,1.1.1 (the gateway in the default route). 


To see what is included in the appliance's routing table, use the r 'shoiv route" command: 

ASA ft show route 

S O.O.O.O O.O.O.O [1/0] via 100.1.1.1, outside Default Static Route 
C 192.168.1.0 255.255.255-0 is directly connected, inside 4- Connected Route 
C 100.1,1.0 255.255.255,0 is directly connected, outside 4- Connected! Route 
S 192,160.2 0 251255.255,0 [1/0) via 192-168-1,1, inside Static Route 

12*1.1 IPv6 Static Routing 

Confimirinfl Default tPvft Static Route 

ASA(config)W ipv6 route outside ::/0 3FFE:l lOO:O:CC0Onl 4- The prefix :;/0 means any IP 


r *i ■ tl ^ nve wi ^ se,lt ^ ar| y traffic (:t/0) that doesn't match any other route to the default gateway IP 
wh ich is 3FFE: 110 0:0:CC00:: 1 

C unligurint: Static IPv6 Rm.rn 

ASA(ei>nfEg)W ipv6 mute inside 7fffi:0/32 2FFE5ll20:0:CC00::2 
1 he IE v6 network 7fff-0/32 is reachable via gateway ZFFE:1120:O:CCC0::2 







12,1.2 Static Route Tracking - Dual ISP Redundancy 

** *» C# " fl * U " * Sta ' iC ,0U ' C ° n , " urt * the mutt mutti™ permanently « n ,h, 

roU^“ ble The 0nly f ° r the 5,aic r « ut ' * mt removed from ,he routing able is who A. 
**** ASA interface goes physically down. In all Whereases, each 5S for example when the 

remote default gateway goes down, the ASA will keep sending packets to its gateway router without 
jawing that it is actually dawn. 


from ASA version 7.2 and later, the Static Route Tracking feature was introduced. The ASA tracks 
^availability of static routes by sending ICMPccho request packets through the primary static 
route path snd waits iur replies. If the primary path is down, a secondary path is used. This feature- 
is useful when you want to implement Dual-ISP redundancy, as we will see in the scenario below. 




,, „ , eh |. rt/n fnutsidcl is connected to- the Primary !SP and 

Ifi tine network scenario above, Interface tthu / u [ oi j 

c^eenrUrv ISP Two default static routes will be 

'^dfece EthO/1 [backup] i$ connected 10 the Secondary 

* , "trark^ feature. Tbe primary ISP path will be 

^"Figured (one fur each ISP) which will use the trade feature. p ” 

. , „ . „ not received within a predefined period, the 

tr *tedlBtn e ICMP echo requests. If an echo reply is not rete 

static route will ho used. Note however the. the scenario "suitable only for 
Ccmmiinirahnn (that is H from the inside network toward^ 
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12,1.2.1 Configuring Static Route Tracking 

1 Use ,h,‘sla monitor- command .0 specify the monitoring protocol (e.g ICMP), the target 
address to track [c.g ISP gateway router) and the tracking timers. 

2 Use the "sla monitor schedule” command to schedule the monitoring process (usually ll,e 
' monitoring process is configured to run ‘forever" hut duration and starttlmes are 

configurable), 

3. Define the primary static route to be tracked using the‘route" command with the "track* 

option, 

4. Define the backup static route and set its metric higher than the primary static route. 

Let's see an example configuration bellow (related to the diagram shown above) 

! Assume we have configured an interface named "outside' and a wither interface named 
"backup " 

i Configure Port Address Translation (PAT) for internal network towards the internet 

ASA(config)# object network PAT_PR1MARY 

ASA (con fig-n6tw(i rk-ob ject) H subnet 102,168.1.0 255,255,255,0 

ASAfconfi^network object)# nat (inslde^utside) dynamic interface 

ASA(config)# object network PAT_EACKUP 

AS A(coitfig-network-ob ject)f s ubnel 192.168.1.® 255.25;>.2 55,l> 

ASA (config-network-object)# nat (mside.batkup) dynamic interface 


l Now configure Route Tracking using SLA Monitor feature 


ASA(config)# sla monitor 100 <r Define SLAJP IOC) 

ASA [oonfig-s la-monitor)# type echo protocol ipIrmpBcho 100.1.1.1 interface outside 
ASA(cotiflg-sla-monitor)# timeout 3000 4- Define timeout 30U0 milliseconds (3 set) 
ASA[conflg-Sla-monitor)# frequency 5 4- track target 5 limes 
ASA(config-sla*monilor)# exit 
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ASA(conflg). sb monitor Achodnl, „„ |„ c ,„„ ve r sUrMIme „„„ «• Schedule ,he 
monitoring process SLAJD 100 to stnrt now and run forever 

ASA(config)# track ! 0 rtr 100 reachability <- Associate a TrackJD 10 with theSLA.ID 100 
ASA(conflg)M route outside 0.0.0.0 0.0.0.0 100.1.1.1 | track 10 <- Associate the TrackJD 10 
to the primary static route. Donne also a metric i for this route. 

ASA(config)# route backup 0.0.0.0 0.0.0.0 200.2.2.2 <- Define the backup static route 

with a higher route metric of : < t 


in the scenario above, the firewall appliance will be tracking the primary ISP gateway router 
(100.1.1.1) . If an echo reply is not received within 3 sec (timeout 3000 milliseconds) and the 
process is repeated 5 times (frequency 5). the primary default route is considered down and 
therefore the secondary backup route will be used. 


12.2 Dynamic Routing using RH’ 

you stdl find It in some cases. ^ oplionally advertise a default route. However, it 

appliance (v7.x) can only accept im ^ ^ ^ a(lvert i se these routes to another 

cannot receive RIP advertisements from one nL ' 8 J ^ app | lance supports full RIP functionality. 

neighbor. From ASA version 0.x however, the seen recommended because it does 

* a iinvticvcr, using tw va 

Both RIPvi and RIPv2 arc supported. mow 
not support routing updates authentic .'* 1 

12.2.1 ConfiB l,rinfi111,1 

, ii . r with a Cisco router. RIP I s configured using the 
Configuration of RIP on the ASA app»’'" c ^ ^ aulhc „ilcatlon security is configured 
"router rip” Global Configuration " 

Interface Configuration. 

r k to advertise via RIP 

As Mco»ng)# router rip * ,,C '' V 

ASA (conn B .roiitcr)H network B u» version roU | r into the network 

^Mconfig-router)# version /< I -I oH g|nate <* 1 ‘ 

AS/v Uonn B -rmiler)# def.ml l ,,,f,, ""‘' 197 


ASA(Conflg-rouler)» 

propagation on specified Interface 

ASA(conn fi . roU ttr]» no auW-summarfee <- disable automaUc route mimm***, 

The -no ouw-son,marine' command works only for KWvi. It disables automatic route 
summarization to their network Class boundary. For example If you haves mute 10.1.3.0/24 
you want to advertise via RIP, by default it will be advertised as 10.0.0.0/8 by the ASA. Using (he 
"no nuto-summarizc- command, the route will be advertised as 10.1.3.0/24, 

Regarding RIF updates authentication, this is configured on a per Interface basis: 

ASA [con fig) If interface [interface number} 

ASA (con Tig-if)# rip authentication mode (text { md5] 4- I Suggest Lu always us* mdSauiFi. 
ASA(cunflg-if]tf rip authentication key (secret key] key-id [key iD number} <- live the same 
secret authentication key to all neighbor devices running RIP. [secret keyf tan be up to 16 
characters, and/key ID number} is a number between 0-2SS 


The diagram below shows an example network topology with an ASA firewall running Bff within a 
network with other routers. 



Assume the ASA Is located between the Campus Network and the DataCenter NetworM 11 rLlUt ^ 
neighbors behind the inside interface are running R]p r 
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Example; 

AS A(ci5nfieJ^ route outside 0.0,0.0 O.O. 0 . 0 192J6B,2,2 

A SA(conftg)tt router rip 
ASA(config-router)#f network 192.168.1.0 
[con Og-router)# version 2 
ASA (ccj n fig-route r) # de fa utt-ln formation origin ate 
ASA (config-router)# exit 
ASA(confle)# interface GigabitEthernotO/l 
ASA[conflg-if)# rip authentication mode mdS 
ASAtcpnfiB-if)# rip authentication key sQmesecrclherc key-Id to 


12,3 Dynamic Routing using OSPF 

1 

\ 

■ OSPF {Open Shortest Path First) is a dynamic routing protocol based on Link State* rather than 
\ distance Vectors (such as RIP) for optimal path selection, jt is a much better and more scalable 
routing protocol compared to RIP r that's why is widely used In large Enterprise networks, OSPF can 
be very complex end one can write a whole book for it. In this section J will keep OSPF discussion m 
\ brief as possible, and I will try to discuss features and scenarios that arc most mm manly used In 

i _ 



■ read networks, 


1 QWTvl supports IPv4 and 0$PFv3 supports IPv6, 
^ p Sh;3 supports IPv6 in ASA version 9.x and later. 


















12 , 3,1 Configuring OSi*Fv 2 

l need lo create an OSPF routing process [up 

OSPF is based on Areas. In brief, to configure OSPF Y°«^ ^ | p n(jtwork addfWtt5 associated 
to two routing processes can be configured on ASA], \ , ^ ^ cack jp network address, 
with the routing process, and then assign 111 u n$PF update* security, 

„ . . „Mc i ho WP( rwHW P roCe “ 

ASA/confij;)# router ospl /process /yr 4 - |J» network address 

ASA(confle-»utcrl# network tll'aMnSSl (u>bmt »ms , ^ * (fl| . 0SPFArca 

to advertise via OSPF. Tills network address im»t >e N "k 

, t ^ c ir rc„ch a^! 255.2S5,ZS5,tJ) and KOTan 

Note that -subnet mask" above must he a normal sn me m 

inverse /wHdearfl subnet mask like we use In Cisco routers (such as WU«Si )■ 

To configure OSPF MD5 authentication, you need to enable authentication per Area [w.thia tire 
routing process) and also configure the MDS authentication key under Interface configuration. 


AS Alcoa fig) # router ospf fprocess ID] 

ASArtoofig-router■]# area fciree ID/ authentication message-digest 4- Enable MD. 

authentication in the specific Area 

ASAfconfig-ruuter)# exit 

ASA(coofig)# interface (interface number} 

ASA(config-iQB ospf authentication inesso^e digest 
ASAlconfig-iflfl ospf message-dIgest-key {key ID] md5 {secret key] 


Vtfe will see two OSPF example scenarios which are commonly used in real implementation 5 * 
first example dEplcts a Cisco ASA within an Enterprise network working as an ABR (Area Holder 
Router], and the second example shows an ASA firewall injecting a default route into the internal 
network via OSPF. 
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\ 

«* 

i 










5 in the example above, the ASA5500 firewall is located between the Data Center and Campus 

Networks. All routers within the Data Center network are running OSPF in Area 0. On the other 
hand, all routers in Campus Network arc running OSPF Sr Area l.Thc ASA work. 1 , as Area \lon\cr 
Router. We assume also that there is no NAT configured on the ASA foo ^t-eontrol'). Firewall 
policies can be enforced using Access-Lists on both the Inside and Outside interfaces. 


Conffcu ration example: 

,\SA(config)tt routerospf 10 

ASA [co n fig-router) 1* network 192.168,1.0 25S.25S.2SS.0 ore* 0 
AS A[co«HR-router)# network 192.J68.2.0 2SS.2SS.2SS.0 ore* 1 
AS A [con fig- router) N urea 0 ootheotlcatloo tne^edige*. 
ASA(config-router)# area 1 ouU.entica.ion mersage-digert 

ASA(config-router)^ e*it 
ASA[conflg)# interfacetHgabitEtlternetO/O 
ASAfconflg-il)# ospf authentication „,e SS a E edi S e 5t 
ASA(ron(ig«l# o s Pimessage j <itge*t-key 20 nu,5 

intt ospf authentication message-digest 
ASAfConiifi' " 1 . 

* n c,nf m essage digest-key Z 0 md 5 Mmes ecrel key 
ASA[co«fig l O ttpsp 
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tn the example above, the ASA has a default route towards the Campus Network and injects this 
default route in the inside network [Data Center)-This means that ah routers v.ithin the Data 
Center network (which will be running OSPF in Area 0) will acquire a default route which will point 
to their next-hop closest to the ASA, 

Configuration Example: 

ASA[tonfig]#* route outside 0,0 0,0 0.0.0.0 192.168.2.2 
ASA(config)# routerospf 10 

ASA(config-router)# network 192.168.1,0 255.255.256.0 area 0 

ASA (con fig-router)# default-information originate always t- Inject default route 

ASA (con fig-router)# area 0 authentication message-digest 

AS A (con fig-router)# exit 

ASA (con fig) if interface GigabitEthernetO/1 

ASA(config-if)# ospf authentication message-digest 

ASA(conftg'if)tf ospf message-digest-key 20 mdS somesecretkey 

ASA (con figiQ # exit 

















xt 3,2 Configuring OSPFv3 (ASA Version 9.* and later] 

. , ne w feature supported on ASA 9.x and later. We will 5 * c |u 3 t the bask ^figuration which 

t*< ks 15 A ^ than the philosophy used in OPSFvZ. Basically you heed first to enable an QPSFv 3 

i$ im sn C0D figure a specific interface to run OSPFv3 [under interface con%], 

process andt e 

f OSPKv3 is used for distributing IPv6 rooting information, 

As ^'ve sa i( * beTOJ c, - 

ri )(t i,,v6 router ospf 10 «- First enable an OSPFv3 routing process [101 
' S l^facc GlgabitEthernetO/l <■ Run OFSFv3 under this interface 

ASAfconBg'tl)* ipv6 ospf 10 area 0 <r This interface will be running 0SPFv3 m Area 0 


12.4 Dynamic Routing using EIGRP 


E1CRP i5 , be enhanced version of the older 1GRP. It is a Cisco proprietary protocol which vans on ly 
between Cisco devices, Support for EIGRP oil Cisco ASA was included from version ".0 and latei ^ 
Although EIGRP is very easy to use and Hexible. network designers and administrators hesita e 

! 1 y stnee it works only with Cisco extent, soyou a. effect,veiy dependent on a single 
use itwiueiy r.rewaLls, so I will keep the discussion 

vendor. 1 have not seen this protocol used a lot on Cisco A 

___ „ . eirRP nn Cisco ASA doGS not suppos t IPv6] 

just to the basics. ( Note ; Currently. E1GRF » nuic “ , '“ 


12.4.1 Configuring EIGRP 

EIGRP configuration on a Cisco ASA is very similar with a Cisco router. Basically you i—able the 
EiGRP process by assigning it an AS number, and then configure the IP network ranges thatw.il 
advertised by the routing protocol to other EIGRP neighbors. 

ASACconRglU router eigrp fAS Num, <- enable the EIGRP routing process 

t fi rou te t) # netwo rk [IP address] [subnet mask] ^ IP netwo rk ad d ress to adverti se 

kirhtk for EIGRP updates is configured under Interface config mode as shown below: 

MDS authentication ioi 
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ASA(config) tt interface {interface number] 

ASA(config*if|tt authentication mode eigrp [AS-num] mdS 

ASA (con fig-if]# authentication key eigrp [AS-num] [key] key-id [key ID] 

Note: All neighbor routers must belong in the same AS number and have the same MDS key. The 
[key ID] is just a number between 0-255 

Configuration Exnmnfej 

ASA(confLg)# router eigrp 2 4r we are in Autonomous System 2 

ASA(c<mfig-router)# network 192.168.1,0 255,255,255,0 

ASA[config-router)if network 192.168,2,0 255,255.255.0 

ASA(config- router)# exit 

ASA(config)# interface EthemelQ/2 

ASA [ton fig-if]# authentication mode eigrp 2 mdS 

A SA( con fig-if]# authentication key eigrp 2 so mesecretkey key-id 20 

This concludes our discussion on routing protocol support, 


I 










Cli3P ter 13 Modular Policy Framework Configuration 

^ Chjpwwill see the key concepts behind Modular Policy Framework (MPFh MPF 1* *1 
, T<5t jud extenstre so I will only describe the basic features of it and the most useful concept 
lfijtentpJ in real world network 


luiM 5 

nJ^’P' 


t 

l 13,1 MPF Overview 

. Modular Ftficy Framework ptviviJes greater granularity and flexibility in implementing 

for example 

nC tvOTkand security ptiUdes with the ASA appliance. The MPF mechanism can be us 
i jpp^ Quality of Service (prioritization) far voice traffic, to rate-limit specific remote access 

; ^tittediuns. to apply TCP connection limits to spedfic traffic flows, to apply deep packet (lay 
Inspection on specific Row’s of traffic etc. 


When configuring MPF. the traffic is first identified (traffic matching) with a Class-Map , then acti 
ire applied to the matched traffic using a Polity-Map. and finally the whole policy is enabled on 

* 

interface of globally using a Service-Policy. 


As described above* there are three main components of a Modular Policy Framework A Gass Map 
component a Policy-Map component and a Service-Policy componenL 

> Gas*-Map’ This is used to identify a traffic flow that we want to apply policies on. You can 
i create either a Uyer3/4 Class Map or a Layer 7 Class Map. In this Chapter we will focus only 

; on Laytr3/4 class maps. This type of class map matches traffic based on protocols, ports, IP 

} addresses and other Layer3/4 characteristics of the traffic flow. On the other hand, a Layer7 

! d as s Map matches traffic based on application characteristics (for example a certain URL 

name in an HTTP traffic flow or evert a certain FTP command in an FTP connection), 
i Policy-Map- After the firewall appliance identifies th e fcra ffic flow with a Cla ss- Map, a 
1 Policy-Map is used to apply certain actions (or policies) to the selected dass of traffic. An 

j example of a policy-map is to limit the maximum number of TCP connections towards a 

• Web Sen , er on the DMZ to a certain number. Another example of a policy map is to apply 

i 

) 

? 

5 

i 

4 


205 










high priority Invoke packets he tween two sites. Similarly with Clas^Maps, an 
administrator can create a Liyert/* Itollcy-Miiporn Layer 7 Policy-Map. 

* Service-Policy: The ServfctH'ollcy pompunont Is used to apply the configured policy 
framework to on Interface or Globally on the appliance. Tho ASA appliance supports one 
Service-Policy per Interface and one Globally, 

The diagram below Illustrates the structure of the Cisco ASA Modular Policy Framework. Keep this 
structure In mind to help you understand the various configuration examples and scenarios that we 
will describe Later on. 


Modular Policy Framework Structure 



Class-IVfap [class name] 
{Match traffic commands) 


Create a class-map to 
identify traffic with 
“match” commands 


© 


Policy-Map [policy name] 
Class [class name] 

Actions 


Assign the class-map 
into a Policy-Map and 
specify actions 




Service-Policy (policy name] 

Apply to interface 
or Globally 


Enable the policy on an 
Interface or Globally 
using a Service-Policy 
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Default Modular Policy Configuration 

jet.mlt. out-of-the-box Cisco AS A appliance lias a class-map already configured which 

the det,mlt-inspection~traffic You can view this default class-map in the configuration by 
ini! tin; “show run ctoss-tnap" command, 

V$.\(conflg)# show tun class-map 
class-map Inspe etion^d e fault 


m ;itdt d c fault-hispectlo n- traffic 


the keyword default-inspection- traffic" is a special name which denotes ma 
default applications and protocols on their default ports, as shown on the table 

t-cbtng of several 

below. 

Pro to col / Application 

Protocol Type (tep/udp) 

Port 

CTlQBfc (Computer Telephony Interface) 

TCP 

2743 

DNS 

UDF 

S3 

FTP 

TCP 

21 

GYP (GPRS Tunneling Protocol] 

•requires special license 

UDP 

2123 

3336 

H323HZ25 

TCP 

1720 

H323RAS 

UDP 

1718-1719 

http 

TCP 

BO 

ICMP 

N/A 

N/A 

- \}£ (LDAP] 

TCP 

3 89 

IP Sec Pass Through 

UDP 

SOO 

~ MGCP [Media Gateway Control Protocol) 

UDP 

2427,2727 

-— — “f^ctBlOS Name Server 

UPP 

137,130 (source 

ports) 

L—--- — PPTP 

TCP 

1723 

l-—-“RADIUS Accounting 

UDP 

1646 

1———RSH 

TCP 

514 
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RTSP 

TCP 


\ SIP 1 

TCP/UUP 

5069 

SfXP (Cisco Skinny) 

TCP 

20uS 

SMTP-ESMTP 

TCP 

25 

SNMP 

UUP 

161,162 

SQl*Net 

TCP 

1521 

SUN RPC 

UDH 

111 

TFTP 

UDF 

69 

XDMCP 

UDP 

17? 


Most of the applications and protocols shownabw 3 re inspected by the ASA 
configuration. Fur example, an FTP communication through the ASA between an FTP client and 
server uses a Control connection port 21 and a Data connection on port 2a Normally*MM 
firewall would not allow such a communication logo through because the initial connection Isoji 
port 21 and the return FTP data traffic is on a different port (20). Using the "defoult-Jnspectlom 
traffic" mechanism described above [together with the "inspect" command under Global policy 
map configuration), the Cisco ASA will inspect the FTP traffic In order to allow both the control and 
the data connection flows to pass through with no problems. The rest of the protocols from the 
Table above either exhibit similar behavior with FTP or generally require some special "handling' 
therefore they are Inspected by the firewall on the application layer for proper communication. JV 
example, the voice signaling protocol H323 has to be inspected on the application layer in order for 
the firewall to allow the voice RTP (Real Time Protocol) traffic [which works on random range of 
IJDP ports) to pass through the ASA for a successful VoIP communication. 

The default policy configuration on a Cisco ASA (out j OF-the-box) is the following; 

class-map InspectiOh.default ^ Create a default class-map 

m atd) de fa u It- ins pert to ii- tra fil c 

policy-map type inspect rin$ preset_dn 5 _niap 
parameters 

message-length maximum 512 
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f >li#U' ollc Y Cfcale a G ,obal P° ifc y 

^ Altach the dcfayIt cIass nia P to the global p(llky 

‘^d<i«P rejet - tln, ' map 

:Sj|« 2s 

lnsp« ll,j . 23r 
jjnperf fSh 
ln^p cct rl:S P 
inspect esnitp 


Ijispea 

Inspect sip 

Inspect netbios 
Inspect tftp 
Inspect ip-Optlons 

service-policy ;lnba! policy global <- Enable the global policy for all traffic 


13.2 Modular Policy Framework Configuration 


13.2.1 Configuring Class-Maps 


As stated above, tn this Chapter we will focus only on Layer3/4 Class-Map. 3 IPs type of class (nap 
classifies traffic based on Layer3 or Uyer4 attributes, such as IP address, port number, DSC? values 
etc The configuration Involves two steps: First configure a name for the class-map anti then use tho 
"match' command under the class-map configuration mode in order to identify the traffic flow, 

ASA(conlle)# class-map Idas* name! <r assign.! name to tlteclasso! traffic 
ASA(conflB-cmap)# match acccss-llst [ACLxamcl «-match lrafflcUas.nl on ACL 
ASA([ rjnllji cma|>)« match port (tcpjudpj [eq fwt.no / range port portJ<-match bused on parts 
ASACcf.flS cn.ap]* match any frn.atch any traffic 

ASAfojnng-cmaplff match defaultdnspecdon-traflic ^niatch the default ports for the 
sopplrtctl applications as we vo dlscosscd before. 

ASArcDJ , fi g, cm ap)# match dsep fvplue} ^matcti specific dsep value(s) hi the l? header. U.fc 

/, n means “match expedited forwarding packets" which to usually voice packets. 
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. . . .. 

iwfutci nmrwj^in^ich * ,u ‘ Ul sltr hmn ** 


ASA (co n n R-f ran |>)R n w U h 
header. Similar w lilt dfcp. 

ASAttonflB cmapjfl liiaichtunnel group, 

or even remote access VPN group 

. lAtt -jj rnsi {-Hits must be used irtRrilirr *0Mhe 
ASA (con flg^tmap) tf match now f|i dostlnalioivaddi 

tunnel-group command above 

A S A [conflg-cma p) # match rt| y [tfart part end port} Jl I " u 1 1 " 


<T»nf Ijji i r'01 Foil Jft nmnlr t or tl ass-Malt 

Consider a scenario where we want to apply seme specific policies far the traffic reaching oer 
company's Web Server from the Internet Maybe we need to apply a icstrlctlnn on (lie maximum 
number of simultaneous TCP connections allowed to reach our Web Server, Also, we want to 
prioritize voice traffic having a DSCP value of' W [expedited forwarding) that goes through a 
specific slte-to-slte IPSecVPN tunnel. Wi will create two class-maps which will classify the traffic 
that we described above: 


ASA(conng)# acccssdist websrv^traffle permit tep any host 50,50.50,10 eq HO 4” assume our 
public web server Is host 50.50.50.1 U 

ASA(config)# class map inTP_To_Weli_Server <r create a class-map for the hup traffic 
A SA( conlUg-comp) ft match access-11st websrv.troflie ^ match traffic ■ nlng to web server 


ASA [con fig) W cl ass-map L2lvVolce_Trafflc rente a class-map for the voice laiMo-Jan traffic 
ASA(confiy-emap)tt match tunnel-group SITE JL VPN 4-match IPScctunnel group5Vi'S 
ASA (con fig-c map) tf match dsep ef 4-match FF type traffic (1c voice) 

Keep in mind the confimiration snapshot above because we wifi refer to it later on when we wili 
describe Policy Maps. 








13-2-2 


Configuring Policy Maps 


, . „ ,), c traffic with a cl ass-map, we need to assign this class-map into a Policy-Map 

iftaf c|3SSUj ^ 

A pcsponsible to apply some actions [policies) on the selected traffic [i.e traffic that matches 




itia* cl11 


■ it cement in the class-map)- We will focus only on Layer3/4 Policy Maps. 


, anil ii a oce supports one Policy-Map per interface and one Global Policy-Map. Also* each 
The security app 

can support imiltiple Class-Maps and multiple actions on traffic, for instance, in the 
figuration example shown in the previous section for class maps, we have configured two class- 
p namely "HTTP_To_Web_Server J ' and ' L2L_Vi>ice_TrafficWe can assign both class-maps 
||Uo g single Polity-Map and apply actions on them. 

To configure a Policy-Map, first configure a name for it, then assign a class-map (using the class" 
command) and then configure actions for the specific class-map. 

ASA(config]#f policy-map [policy name} 4- assign a name to the pohey map 
ASA(config-pmap)# class [class-map name] 4-assign a e!ass-map 
ASA(config-pmap-c)If [con/l S ~r { actions! there «*»» *«r the specific 

ASA(config-pmap-c)# exit >i#wia cte , napwI the seme policy 

ASAtconrig-pmap)# class [class-map name] ^assiM* 

ASAtconfig-pmap-c)# «*"4 aCli °" S ^ S ' C ° n< '' ” 

t4f that can be configured on a policy-map are the following: 

The available categories of actions that 

! CSC- send the traffic to CofttertSeeurity and Control service module. 

2 M the traffic tothe Intrusion Prevention ^.em service module. 

J set connection: enforce connection limits on traffic. 

4 . inspect: apply pro* 0 ™ 1 inspection services. 

s. police: apply rate limiting for traffic 

e , a p ;y traffic shaping 

6 ’ ShapC ^ , y pri0 rity for voice traffic (Low Latency queuing-LLQ) 

7’ P 11DT1 L!r nonfieure filter for Netfio w events 

ton * 
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frjQTES: 

1) For the older ASA models (5500 series), the CSC (Content Security and Control) and IPs 
(Intrusion Prevention System) mentioned above are add-on card modules that can be 
Inserted into the ASA firewall chassis to provide specialised security functionality (content 

inspection,antivirus*antispam, intrusion prevention etc)- 

2] For the newest ASA models [5500-X series), this specialized security functionality is 
provided by software modules instead of hardware ones. So In the new 5500-X devices w e 
have an IPS software module and a CX software module. Both of these require additional 
software licenses to work. 

Now, to get a more complete picture of the usage of both class-maps and policy-maps, let s sec some 
configuration examples below in various scenarios, the example scenarios below will cover some 
of the available "action" categories that can he applied from a policy-map to a class-map. 

Configuration Scenario 1: Send traffic to CSC ASA Module f or inspection 

The CSC module is an SSM card (Security Services Module) that is purchased separately and 
inserted into the ASA chassis to offer extra functionality such as antivirus, antispam, antispyware 
etc. This module is available only for the olde r A SA 5500 models (not the 55flQOt models!. 

The CSC module communicates with the ASA firewall via its backplane. 

The CSC module can inspect and filter die following protocols (on their default port): 

* HTTP traffic cm. TCP port SO 

* POP3 traffic on TCP port 110 

* S MTP traffic on TCP port 25 

* FT P traffic on TC P port 2 1 

The Cisco ASA appliance can send HTTP, FTP, POP3 and SMTP traffic to the CSC module for 
inspection and filtering before allowing the traffic to continue to its destination. You can choose to 
scan traffic for all of these protocols or any combination of them. By default, the ASA does not sent 
any traffic to the CSC module. You must configure a class-map to identify traffic to be scanned, and 
then configure a policy-map with the "esc" command which will instruct the ASA firewall to send 
the traffic to CSC module for inspection. Here Is how we configure CSC policy: 
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ASA (con fig)# policy- map {policy name] 

ASA(config-pmap)# class {class name} identify traffic to be scanned by esc 

A5A(tonfig-pmap-c)tt esc (fail-close j fail-open) «-send traffic to CSC card 

fail-dose = if CSC card fails, traffic will be dropped 
fail-open = if CSC card fails, traffic will be forwarded 

Using the CSC module with the ASA 


ASA Appliance 


Outbound 

Traffic 


CSC Module 


Inbound 


Traffic 


ASA Backplane 



In our example below we want to scan 
network users towards the Internet, and also scan 


and inspect HTTP and POP3 traffic from oar internal 


and inspect SMTP traffic coming from the 


internet 


towards our company's mail server located on DMZ 


















POP3 Traffic 

Assume that chi r SMTP mail server listens on IP address 5Q.50.SO-t [port 25)- The policy will be 
applied globally, which means it will affect imrress traffic on all inte rfaces. 

ASA{config)ff access-list CSC.trafflc permittcp 192.163,0,0 255.255-255.0 any eq flQ 
A£A(config)tf access-list CSC.trafflc permit tcp 19Z.16B.0.0 255,255,255-Q any eq HO 
ASA(config)# access-list CJQtrafflc permit tcp any host 50.50.50.1 eq 25 

ASA [coil fig)fl Class-nsap C5tl„cJyss f creates class-map lor traffic towards-CSC 
ASA(corifig-cmap)# match access-lilt CSC_traffic ^-identity traffic in be inspected 
ASAfconfig-cmap)# exit 

ASA(config)# policy-map glohal.poli£;, 4- get into the default global policy 
ASA fen nfig- p riui p) H class C5C_clasf. 4- attach the CSC class-map In global policy 
A5A{confifpfjm:ip-c)rt -esc fail-open 4-send traffic lo CSC 
ASA(cujifig-pmap-c)# exit 
ASA( con fig-primp) if exit 

ASA (ctmflg) # scrvice-pol Icy glo I in l_p ol i c; gl obul 4- alia rh the pul icy global ly (til is I i n u- sli nuld 
be si [ready configured in the default ASA configuration) 
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Similarly with a CSC card described above, an Intrusion Prevention 


no be used in an ASA chassis to provide intrusion it . System (IPS) module card can 

r.«nn,n»d., f ,be,per ■ de '™ 0,, J ’ ,t! P*™*" ^ctlnnallty. For the 

older ASA 5~dc s, fupctionaliry i s offered by an , dd .o n hardware module, whereas for 

, h6 ns „, ASA S500-X devrces the IPS functionality iso f ftr(;d byaspeciai software modnie that can 
bE enabtfrd by a license upgrade. 


m IPS module is loaded with specialized intrusion detection software which uses ‘signatures- to 
identify patterns of malicious traffic in order to block it Only one module car be used in an ASA 
thoughr either a CSC or an I PS module. The IPS module (also called AIP-SSM in SSOG ASA series) can 
operate in two modes; 

* IPS liilino Mode: In inline mode, the IPS sits in the traffic path and therefore the traffic is 
fully intercepted and inspected by the IPS before being sent back to the ASA Firewall, The 
traffic that passes through the IPS is the traffic that matches a class-map configured with 
the "ips" command. In inline mode, the IPS is capable to block attacks by itself- 

* IPS Promiscuous Mode: in promiscuous mode, the IPS does not intercept traffic that 
passes through the ASA. Instead, the ASA firewall sends a copy of each packet to the IPS for 
inspection. If the packet is identified as malicious by the IPS, ft issues an alarm or instructs 
the ASA firewall (using, the "shur J1 command) to block the traffic. In this mode the IPS does 
not block attacks by itself. 
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Using the IPS modulo with the ASA 


ASA Appliance 
With IPS Inline Mode 


Outbound 

Traffic 


IPS Modulo 


Inbound 


i 

i 

Traffic 


Traffic Intercepted by IPS 




ASA Backplane 




ASA Appliance 
With IPS Promiscuous Modo 


Outbound 

Traffic 

4 - 


IPS Modulo 

I 

Traffic Copied to IPS 

ASA Backplane 


Inbound 

Traffic 


fiy default, the ASA does not sent any traffic to the IPS module, You must configure a class-map to 
fdentity traffic to be inspected by 1 PS, and then configure a palIcy-map with the *fps’command 
which will instruct the ASA firewall to send the traffic to IPS module for inspection, ffere is how we 
configure the IPS policy: 


ASAfeonfig)# policy-map [policy name] 

ASA(config-pitiap)W class [classname] (-first identify traffic to be inspected by IPS 
ASA [con ffg-pma p-c) If ips, {in Fine [ promiscuous} (fail-close f fail open] <-send traffic to IPS 


inline = the IPS will he working in inline mode 
promiscuous - the IPS will ho working in promiscuous mode 
fail-close = if IPS card faiis, traffic will be dropped 
fail-open = ifiPS card fails, traffic wilt be forwarded 
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more cOtrpl^te example below. Assume that we have a DMZ zone with public servers on 
C subnet 50.50.50,0/24. We want aU traffic coming from Internet towards our DMZ servers 
' be inspected by the IPS in inline mode. 

^.\(confiel # DMZ_lralIic permit ip any 50,50.50.0 255.255.255.0 

A ^^ on ng)# class-map IFS.dass create a class-map for traffic towards IPS 
AS jt[config cinap)# match access-list DMZjrafilic 4-identify traffic to be inspected 
A SA[conrigcmap)#exit 

ASA(confi&)tf policy-map outside Jps_pobey 4r create a policy-map for IPS 
A 5 A(config-pmap)tt class 1P$_dass f attach the IPS class-map in the IPS policy 
A 5 A(config-pmap-c)if ips inline fail-open <-send traffic to IPS in inline mode 
ASA(config-pmap-c)W exit 
ASA(config-pmap)fr exit 

ASA[configJ# service-polity outside JpsjKilfcy interface outside ^-attach the policy on tin. 
outside interface 

Configuration Scenario 3: Set Connection L imbs Policy 

The "set connection" command used under a policy-map con figuration Is used to enforce 
connection limits for specific traffic flows. When a connection matches the associated match criteria 
in the class-map. the ASA appliance sets the specified connection limits to the traffic, You can use 
the "set connection"' command to configure the Pillowing. 

, conn-max: Maximum number of simultaneous connections allowed. Can help to protect 

against Denial of Service attacks. 

* per client-max; Maximum number of connections allowed per client- Can help to restrict 
internal users from opening excessive connections (c.g when using torrent or peer-to-peer) 

* tmbryonic-ccmn-mnx: Maximum numbers of TCP "half-open" [embryonic) connections 
allowed. Proteus against. "SYK" attacks. 

■ per-di^nt-embryonic-max: Maximum number of TCP embryonic allowed per client. 




Let's set an example scenario beluw r 



Outbound Traffic 


We want to apply connection limit policies for HTTP inbound traffic (from Internet to DMZ Well 
Server] and also for users' outbound traffic (on a per user basis). Assume that our Web Server 
listens on public IP address 50.50.50.1. 

ASA(confi K )M access-list HTTFjrafltc permit !cp any host 50.50.50.1 cq 8(! 

ASA(conn(i)if access-fist Dutbomtdjrafllc permit ip 192.160,0,0 255.255,255.0 any 

ASAfconfifiJ# class-map Web_.$ltV_Class 4r create a class-map tor DM2 Webserver 
ASAfronflg rmup)M match access -list HTTPjrafflc <r id entity HTTP traffic to well srv 
ASA[eonfip;-crnap)tf exit 

ASA(confifi)if class-map 0utbourrd.Clas5 f- creates class-map for Outbound traffic 
ASA (co u fig -1 map] w match access-list out hound .traffic ^-identify outbound traffic 
ASA (confluent Op) W exit 
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ASA(config)# policy-map Veb_SRV_policy 4 create a policy-map for Web Server 
ASA(config-pmap)# class '-Veb_SRV_Class 4 attach the class-map on the policy 
ASA(config-pmap-c)# set connection conn-max 3000 4limit max connections to web srv 
ASA(config-pmap-c)# set connection per-client-max 100 4-limit max per client connections 
to web server to 100 

ASA(config-pmap-c)# set connection embryonic-conn-max 1500 <-limit max half-open 
connections to web server to 1500 
ASA(config-pmap-c)# exit 
ASA(config-pmap)# exit 


ASA(config)a policy-map.mtboimd.policy *■ cede J |mllcy ". 

ASA(config-pmap)P Casa Oalbound.Class <- auacl, Ibc 

, ciicni-max 70 4limit max simultaneous 

ASA(conflg-pmap-c)# set connection pcr-cbcn 

connections for each internal user to 70 

ASA(config-pmap-c)# exit 
ASA(config-pmap)# exit 

nlerface outside d-atlach Ibc Web seme 

ASAlconfig)# service-policy Web_SRV_P°licy 

Policy on the outside interface interface inside ^attach the mitl.ound i»o 

^A(config)# service-policy >u 1 >' 

°n the inside Interface 


atlon 


in lion rnllcy 

ion Scenario ^TraffnJ^ B whic happlies inspection 

. ba , default inspect ’ 0 ' 1 P° clasS map . if you 

the-box Cisco ASA „blcb a« ”*^^d) y.- *• 

several applications an ^ ( llS ingth® ' sh ° w 
inning configuration of the 
lefault configuration comm 
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class- atop inspect ion_defnull 
match default-inspect1on-1ruffe 

t 

policy-map type inspect dns preset_dns_mop 
parameters 

meiisuife-length maximum Sl2 

policy-map globaf_polfey 

class fnspection^defmtit 

inspect dns preset_dns_map 

inspect h323 h225 

inspect h323 ros 

inspectrsh 

inspect rtsp 

inspect spinet 

inspect skinny 

inspect suttrpe 

inspect xdmcp 

inspect sip 

inspect tietbios 

inspect tftp 

inspect Us 

inspect ftp 

inspect http 

j 

service-policy fjlabaipolfcyyhbai 

Prcim the default configuration shown above, you can observe that there is a default class-map 
{class-map inspection_defauIt] :md a default policy-map [pplfcy-mapglobaf_poiicy) r The default 
policy Is applied globally on the appliance [service-policy giobaipotfcyglobaf). 

Notice that we use the 'Inspect"command to apply application layer inspection on several 
protocols. We caoadtl or remove protocols from the global polio,’accordingly. You can go under the 
policy-map global.policy > close Inspsctlimjlcfault and type 'inspect V to see which other 
protocols are supported for Inspection. Then you can add more protocols for inspection as needed 

The "inspect" command for each protocol helps the security appliance to do the following: 

. Look for common security issues in the application layer and prevent them. 

* Look for additional connections that noedtohe opened (eg for FTPorvoice traffic) and 

open those connections as welt, 

. Look for embedded addressing info™ at ion inside packets thatwilibe translated with NAT. 
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later in 


in this book)- 


The -police" mechanism is configured as below: 

ASA(cotifie)# policy-map (policy name] 

A5A(e0ttfi£'P ma Pl w class {class name} 4- first identify traffic to be policed 
A 5 A(conflg'pmap-e)# police {input[out put} conform-rate-in-bps [burstsiw in bytes] ennfornt- 
setion. {drop]transmit} exceedaction (dropltransmit) 

The "input" keyword applies traffic limiting to packets entering an interface and the "output 
byword applies traffic limiting to packets leaving an interface. The burst sUe indicates the 
najismoTti size in bytes of an instantaneous burst of traffic allowed before the traffic is capped to get 
it back to the policing rate, A formula to calculate a good maximum burst size, according to the 
maximum rate limit applied, is the following: 


fjurst Size = (conform rate to bp$)/8 * 1-S 


Assume that we want to apply rate limiting to a 
“Remote.VPN"') as following: 


spedfic iPSec remote access user group (with name 


* Maximum allowed bandwidth of 512kbps 
- Burst Size * (512000/10*1.5 = 96000 bytes 


let's, see the configuration snapshot below 


ASAtcaoUg)# class-map VPfl.Users. CUs*<r 
ASA[config cmapjft match tunnel-grouP 


. £ create a class-map for VPN remote users 
Remote.VPN 4-ldentify the VPN tunnel group 


A$A(confi£-cmap)*f 
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ollcy-iwap f*» r VI * N rcmo,c acccs * 

ASA,con(lg)* policy-map WW-W * „ lh , „a,c-map on ,hc policy 

oi«s VPN Uscrs.Class *- • transmitcxcced-actlon 

ASA(c«nn g P map)» class 96fl00 conformation 

ASA(conng-pmap-c)# police Input . s of burst slw 

drop <*llralt the traffic to 512Kbps and 96 - transmit exceed-action 

ASA(conflg-pinap c)# police output 5 

drop «-do the same for outgoing traffic 

ASA(config-pmap-c)# exit 

ASA(config-prnap)# exit 

nlltslde 4-attach the VPN policy on the 

ASA(config)* service-policy VPN.policy Interface 

outside interface 


Configuration Scenario 6: Settin g Prinrlti/ntionjorirafnc 

The last configuration exatnp.e that we will see here has to do with priority and queuing (more _ 
details on QoS and prioritization of traffic in another Chapter later on). Wt can use P y 
command under the policy-map configuration to enable Low Latency Queuing foi traffic that is 
delay-sensitive (mainly voice). Together with the -priority" command we must also use the 
"priority-queue" command in order to enable the priority queue on the interface on which wc 
want to apply high priority for traffic. Each interface of the security appliance has two queues: A 
priority queue which is used to transmit delay-sensitive traffic and a default queue which transmits 
all other traffic. Priority queuing is applied ONLY on egress traffic (packets that exit from an 
interface). 


The "priority" mechanism is configured as following: 

ASA(config)# policy-map /policy name] 

ASA(config-pmap)# class [class name] <-flrst identify traffic to apply priority on 

ASA(eonfig-pmap-c)# priority 
ASA(config-pmap-c)# exit 
ASA(config-pmap)# exit 

ASA(config)# priority-queue logicaljf.name ^-enable the priority queue on an interface 
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., fnllowl^lj cs,m11 ’ 11 ^ Vl i'h’h ] 11 Id tit y lor voice traffic that passes through a Specific 

i 111 . . m i tutu id l n't woe ii iwn sit va r 

V** 4 ** 


d !lW,,,,, “P Vuit v * 21 i A u * * * rciilca d ass-map for voice V 1 J N traffic 
\, {c o^^ ]ii ,im,cl1 iinillpl ^ rim l i L2U,Vl fc N hi entity (he IPSec VPN tumid 
^ iniitcli tlsqt <?f ^maU-li the expeilMed forwarding“cl" voice traffic 

^[conflG-^l'J" cxiL 


policy- map voice. pulley f- create a pulley*map for VPN voice traffic 
vSjV [cofll1g-l Jlrta ] , >” l '^ ilsS ^ i, lt’c_Liil v ( r |;isji 4r attach the class-map on the policy-map 
A5A (coiinfl-pm;ip"<ON priority <r apply Iti^li priority to voice traffic 
AS A(ri»m!-l«i |ia l 1 ' c ) # ^alt 
^(conflg-pwaP^ exit 

^SA(conflg)tt priority-queue outside ^-enable the priority queue on the outside interlace 


13.2.3 Configuring a Service-Policy 

^ j ar w$ have seen the two (out of three) components of a Modular Policy Framework (MPF] 
L«iifigur;ition. That Is, we have described Class-Maps and Policy-Maps. 1 he third and last 
component of ah MPF is a service-police. A service-policy is used to attach the policy-map either 

Globally or on a specific interface. 


,pplfted globally, actions are applied to traffic in the ingress direction 


• If the pel icy-map is a | 

only. 

. policy-map l.*|M » ■ ***—“* 

the egress direction. 


223 







[0 , he outside inte rface we would „ se ttle 


, ..toi | interface 1 1, 

The servlce-pcllcy, ^ ap nnW ^' 

ASAfconHeJ# s*rv\ce p<>' ic yv 

So, ,o apply a service policy «'* nan,e ' VOlCe P °" C> 

,he-show service-policy" commapd. 

To verify that your policies are hemg enforce 
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jjjicr 14 Quality of Service (QoS) Configuration 

11 ( j 1( , ^ui |>Lise ofa Cisco ASA appliance Is to secure the network it incorporates a!w some 
^ r 111 L i‘ii ha ncr Ira 111c How t Ivruu gh the appliance, QoS is one of these features. Some network 

ft-ilUl!*'* 

j t , s volet' ami streaming video. cannot tolerate lung latency times, QoS is a feature that 
i flic# sUC " L 

_j#jn priori! y to these types of traffic wet other types of traffic (such as pure data traffic). 
104you hi™ ■ 


t i, l , folifowlnfl QoS feat urns/mechanisms ah* supported by the ASA appliance: 

t imlidoli fltnte UiniUun) - settiiig threshold Liniits to traffic (max). Limits the maximum 
bandwidth used per flow, 

. Prlotrllv Queuing, -1f congestion occurs t intelligcntly identify critical trailit and usc Li 1 
Latoncy QUOUlug for transmltting critical traffic before o ther traffic. Used to r V a l F mairuy ■ 
Priority Queuing is further divided Into Standard and Hierarchical Frionti Queuifl®- 
* Truffle Shnptnu “ match device and link speeds In order to centre. pakket la iS - * a, iab te 
delay, and link saturation. For example, if you have an ASA with FastEthernet Imks 
connected to an ADSL line, you can configure the ASA to transmit packets at a futsd slower 

rate, 


NOTE: In order for QOS to be effective in any given network you must implement it eruhto end on 
^devices# For known bottleneck devices within a network, its critical that QoS be enabled on 

those devices as well, 

Y „„ cm, co,ins,,™ each of the QoS features above alone or can you make also a couple of supported 
“Z„s of QoS mechanisms- Tbc supported QoS feature combinations pentnterface are 

shown below: 

• SnmLard priority queuing [for specific traffic) * Policing [for the tost of the traffic). 

Von cannot configure priority queuing and policing for the same set of traffic. 

Trnffic shaping [for all traffic on an interface) + Hierarchical priority queuing [for a subset 
of traffic)* 


rann0t configure traffic shaping and standard priority queuing for the same interface; only 
hi crarchleal priori ty queu ing & allowed 
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WITS; 


al,hm « h the *S* 1«s " 0t r “ ,nft '“| 1 1 p™ c |„s"or*tr a lf>c shaping. Thu rrason Is that the 
Priority queuing need* to be used will | Srw saturated [ n 

L»* Latency Queue (Liq) «. „„ k Is mil. Slnct ASA "' 

other words, prioritization of »«**'*'“ " „ s , tll «tir.B these links Isn’t something l)m 

interfaces are either 100Mbps or lGbps or more, *f tl,ran "« . f ™* 

will happen often. Therefore, by Implementing policing or ,ra ^f ‘ 6 11 ' kM ' U 4 

actually makes LLQ kick In at the point the policing or shaping n 


14.1 Traffic Policing 

Traffic policing is a feature through which we can define .1 ride on the ASA which will drop packets 
if they exceed the defined traffic (bandwidth) limit, With policing, you can specify a class of traffic 
that you want the policing to take effect. 

We have seen the Policing feature in the previous Chapter. To refresh our memory, it is configured 
as below; 


ASA(con fig) tf policy-map fpolicy name} 

ASAjconliji-iwiiapjK class fdassname} ^-first Identify traffic to fie policed with a class map 
ASAfconflg pmap-cJft police (Input{output} conform-rate-ln-bps (burntsize in bytes / conform 
action (drop |tra ns niit} exceed-action (drupltraiixiuit} 


The input" keyword applies traffic limiting to packets entering an interface and the "output" 
keyword applies traffic limiting to packets leaving an Interface, Clio burst sfee Indicates the 
maximum size in bytes of an instantaneous burst of traffic allowed before the traffic Is capped to get 
it back to the policing rate, A formula to calculate a good maximum burst stee, according to the 
maximum rate limit applied, is the following: 

fluhi Sh.t’s (catifnrm nuv hi hp*)/tt * L5 
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^■ssec ho* to configure a baste QoS Traffic Policing scenario* 

for e!tart>P le » asSume WL ’ Wiint 10 rastritt traffic from a host with IP !92 HR. 10 J to another host 
^jth IP lO.W* tlThe ralelltIlit shoukl bc 512kbps with 92khytErs bur&E traffic. 



rf/raf WhnffllP ^fflc with an ACL 

A 5A(confie) # accws-lisi polidng ad extended permit fp host 192,160-10,1 host.10.1,1.1 

jlSA[conngl# class-map RateJ, Inline! ass 4r created daxs-map for the traffic 
ASAfconfTe-cmup)# matth a cccs£-llsi policing acl *-atiadi Uie ACL created above 
ASAtcoflfig-cmap)* 1 estit 

ASA(confi&)W policy-map Until Policy £■ create a policy-map for rile limiting 
ASAtconfig-pmapll# class Rate_M.mil .Class <r attach the class-map on tlie policy 
A$A[config'pmap-c]# police output S12000 96000 conform-acilon transmit exceed-action 
drop 4-liniit the traffic to 512kbps and 96 (W0 bytes of burst slr/e 
ASAtccmng-pniitp-e)# exit 
ASA(co nflg- pmap} # exit 


ASA(conflg)# service-policy I Jmlt„ Policy interface outside ^-attach the rate limit policy on 


the outside interface 


14.2 Traffic Shaping 


For Traffic 5h api ng on 


ASA you roust have in mind H lr wlro[K>r«»nt uo.es: 


2. Kor Traffic Sha' 
created by the 
create a custon 


3, Traffic Shaping i& rr r 


1. Traffic Shaping 
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Traffic Shaping* similar to policing except that shaping will place the packet into a buffer and 
smoothen the traffic now to match the limit imposed. On the other hand, policing will drop the 
packet once the limit has been exceeded. 

Basically the configuration of traffic shaping alone is much simpler since onlythe "class-default" is 
used. Let's see an example below. Assume the ASA is connected to a cable modem with upstream 
hand width of 1Mbps. We want to shape outgoing traffic from ASA to 1Mbps. 

AS A( con fig] if policy- map QOS-TRAFFIC-OUT frstartwith policy map directly 
ASAfconfig-pmapJftclass class-default <-Only dass-default is allowed 
ASAfeonfig-pmap-c)# shape average lOOOOOO ^“Traffic shaping to 1Mbps lor all otil traffic 

ASA [con fig- pmape) exit 
ASA (con fig-p map) tfex it 

ASA(config)tt service-policy QOS-TRAFFIOOUT interface outside ^-apply shaping policy to 

outside interface 

Traffic Shaping alone is not used a lot in actual networks. Instead it is usually combiner! with 
Priority Queuing as we will see in the next section. 


14,3 Priority Queuing 


We have two types of Priority Queuing: 

1 S t andard Priori ty Queuin g; It uses a Low Latency Queue (LLQ) on an interface while all 
other traffic goes into a "best effort" - queue. 

2 HJ erarc bical Priority Queuing : Used on interfaces where you enable a Traffic Shaping 

queue. Basically you have a certain amount of traffic which is traffic shaped, and a sides of 
this traffic is prioritized, 
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Standard Priority Queuing 


w Priority Queue is used when doing traffic prioritization without, raracshapine. Whan 
^“t^priori^'ion without traffic shaping, the standard priority queue muslbe configured 
do |n f , on lhe interface on which we need to apply priority QoS, 

jjjplici'v 

„ enable the standard priority queue on the Interface which Priority QoS is required 
S(conng)# priority-queue outside ^-Enable priority queue on outside interface 


ontionally y°« tan configure also the queue limit (default limit is 1024 packets) 
^janfig'priorfty-queue)# queue-limit 2048 


Usually Standard Priority Queuing is configured with Policing, so the examples we will see below 
tjfte this into consideration. 




Scenario 1: 


Assume we have a total of 1 Mbps of upload hard width on the ASA outside interface. We want to 


reserve 2D0kbps for voice traffic and the rest 800kbps will be rate-limited (policed). 


ASA(conflg)# p ri ority- queue outside 4-firsl enable standard priority queue on outside 


AS A (to n fig-p rio ri ty-qu c u e) 8 ex i t 


ASA [conflg)# class-map voice-traffic 

ASA(config emap)# match dsep ef ^match voice packets with Expedited f orwarding bit 
AS A (ton fig-cma p) W exit 


1 


ASA(conrig)*tpolicy-map QOS 
ASAfconfie-pmaplW class voice-traffic 

ASA(config prnap-*)* priority tenable priority QoS for voice class. 
ASA(config.pmap-c)»exlt . f lrt . res , nf traffic policed at BOOkbps 

ASA(connrpmap police output 800000 coufom-action transmit esceed-aefinu drop 
ASA (config-pm a p -c) # ex it 

ASA(conng-pmap)Hcxit interface outside^ apply policy on outside interface 

ASAtcortfig)# service-policy t|us 


don't set -i bandwidth value for the voice traffic, Since you know that the 
bte from above that you i a r -.the rest of the traffic at 800kbps, tins means that voice 
nk bandwidth is lMbp«»ntiyou 
■afficvrill have 200 kbps reserved- 
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_ rf , hat VO jct: traffic is already marked with "dscj> ef which 

Also, on the sample above we assumed that 

the usual case with vote* packet* 


St r-fi ario 2;. 

n freauently in^ctual networks. You ha*e two sites connected 
This is a scenario that you ^31 fin q finikin addition to normal data traffic inside tin 
with Site-to'Site IPStc VPN between ^ ^ trarfic geJiera ted by an IP Telephony system 

SSSSS' want* priority to voice traffic which is passed inside the VPN tonne, 

(see diagram below). 

. PJM rr^ fiCA? the confteuration wit! be similar), Assume that the 
We will see th e configu ration on ASA1 (fo tunnel-group name of'200.200.2M.r. 

site to-site VPN is already configured on ASA1 with a tunnel g i 

. -. initarfare is lMbps, We want to reserve 400kbps 

! Z V 3 PN « kbps JL rest of the trefilc the 400khp S 

VPN traific we want to reserve 100kbps ler voice and the rest for the other VPN 



So, the bandwidth requirements are summarized below; 


' *r-~*~1 M^lnnrl 1 Tnlf Rstfirlwidthl 1 MllHS_- 



Total VPN Tunne 

Traffic; 400kbps 

Total non-tunnel rralric; icJUKJJpS 

Voice VPN Traffic: 

J Of] kbps 

Rest flf VPN traffic; 

300kbps 




i 



VoIP QoS over 
$fta'U)-5ite IPS EC VPN 


ASA'1 ^ 

I ns-ida / ~TS > P \Qubide y 0 |p inside VPN Outside 

INTERNET f GM ' 


Inside 


fPSEC 

Sltfl-lo-Site 

Tunnel 


Assume we have the following tun net-group configured; 
ASAfconfig)# tunnel-gamp 200,200.200,1 type ipsec-lZI 

l£nabfe priority queue on oulsfde 

ASA(conflg)# priority-queue outside 
ASA{co n Flg-prlorit jr qu eue) If exi t 
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**jSK»p)* ^" ne, f t° UP *»n**OA*Wh jackets fastfe ts;, 

it! raatCh dSCp * f ' al5 ° ta « EFfcit tU^« inside v T n n^l 


jut-map TOlce-vpn-trafiic 




j-niap r^t-vpn-traJfflc 

3 match tunnel-group 200.200.200.1<-matth packets inside this tei-.r 
S match flow ip destination-address Snatch flows go in* to each l?**L 
#exiE 

x VLicorfi£ZpoKcy-vnap QOS 
^(config-P^Pi^ dass vaire-vpn-ttaffic 

ASi(conflg'P0> a P < 1 # priority ^-enable priority QoS for voice inside vpn dass of traffic. 

[coofig’ pmap^c) it exit 

j^conflg-pmap)# class rest^-pn-trafficerate-limit 3ODkbps for rest of traffic inside i^n 
^ 5 A[config-pinap-c)“ Police output 300000 coufonn^artioo transmit exceed'action drop 

ASA[t»nflg-pinap-c]“exit 

A5A(ccnfig-pmap}S class class-default 4-all non-tunnel traffic policed at 600kbps 
ASA{cOEfig’Pnmp-c)# police output 600000 eonfo mi-action transmit exceed-action drop 
ASA [co nfig-pmap-e) # exit 
AS Afconfig- p map}# exit 

A5A(config]S service-policy QOS interlace outside4- apply policy on outside interface 


^[cgnflg-a^Pl 

VctfcooflfO^i 

lyjcoofiS-^Pl 


14,3.2 Hierarchical Priority Queuing 


When doing traffic prioritization together with traffic shaping, the ASA uses the Hierarchical 
Priority Queue. In such a case, there is no need to explicitly configure the hierarchical priority 
queue on the outside interface (like we did for the standard priority queue before}. 

In Hierarchical Priority Queuing you need to use nested policy maps- One policy map wrU be 
configured for the priority traffic and this policy map will be used inside another pcL,q T map which 

will enforce traffic shaping. 


St's see a couple of scenarios below: 

cenarfo 1: 

insider again the network diagram we have seen in the previous sect™ [SceBad ngteSB ° ainl 
narity Queue). Assume we have a total of 1Mbps of upload phonty „ VPS traffic 

terface. Also we have a VPN tunnel between the tti o sA- wfi classify traffic 

etweenthe two sites. Because encryption occurs before p "° n .^ d ' flf 10 (uo&l<HU snd 

rsed on the VPN tunnel endpoints (Le traffic ^veen outstde IPaddresses 

00 . 200 , 200 . 1 ). 
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Let's sec configuration on ASAl: 


ZOO.ZOO.ZOO.1 CO isaJ^P dcd jt 

ASA(cmirig}W access-list VPN 1 RArML exu nuu , 

200,200.200.1 


with an ACL 

udp host 100.100400.1 host 
esp host 100.100400.1 host 


ASA (con fig)# class-map vpn-troffic 
ASA(conflfi-ctnap)# match access-list VPN 
AS A(co nfig-c map] #exi t 


-TRAFFIC^ match vpn traffic ACL from above 


ASAfconfig)# policy-map PRIORITY 4-thls policy map will be nested next 

ASA(conflg-pmap)tf class vpn-trafflc 
AS A(conrig-pmap-c) If priority ^-prioritize VPN traffic 
AS A(c« nfig- p m a p ■ c)# exit 
ASA(config-pmap) ttesit 


ASAtironfLgJH policy-map QOS 

ASA (enn fig- pm up) ft class class-default 

ASA(coiiflg-pmap-c}Ws!iapeaverage 992Q0G4~Khapu just a little below link barn! width 
ASA (con fi g- pmap-c) ttservl ce- po I icy PR I Oft IT Y 4- nes t ed p ni Icy map 
AS A(cnnfig-p map - c) # c x it 
ASA [config- pnia p}# exit 

ASA(config)Wservice-policy QOS interface outside 

NOTTS : From the configuration above, notice the nested policies- First we have defined the 
PRIORITY policy which is then used inside another policy (QOS policy}. Also, the link bandwidth is 
1Mbps but we are shaping traffic a little bit below (992kbps] which from my experience works 
better in prioritization. This means that when the link bandwidth is saturated (around 992kbps] 
then shaping and priority queue will kick in and priority traffic will be transmitted first Remember 
that in Hierarchical Queuing we are prioritizing a subset of the shaped traffie. 

Scenurio 2: 

This is similar with the above but we are going to match VoIP traffic inside the VPN. 

NOTE: When using Hierarchical Priority Queuing for encrypted VPN traffic you can match packets 
only based on DSC? value. Packet matching based on tunnel group name (as we did in the previom 
section cm Standard Priority Queuing) is tint supported, 

ASA(config) tf class-map voice-traffic 

ASA(config-cmap]# match dsepeff-match voice traffic (tunnel matching not supported] 

ASA [con fig-anap) ft exit 
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ASA(config) (f PoHcy-map PRIORITY <-thls po | ic y map wi n be rested next 
ASA(config*pmap)# class voice-traffic 

ASA[config-pmap-c)#priority ^-prioritize voice traffic 

ASA(CQnflg-pmap-c)tfexit 

AS A(con fi g-p ma p) # e xi t 


ASA(Config)# policy-ttuip QOS 

ASA(conf1fi-pmap)# dass class-default , . rt(Jwi dth 

ASA(conflg-pmap-c] #shape average 992000 t-shape just a Httle below UtiK 
AS A (co utl g-p map -c) # service- p olicy PR!ORITY<-nested policy map 
AS A( con fi g-p ma p*c) ffexit 
ASA (config-pmap'J# exit 


ASA (con fig)# service-policy QOS interface outside 
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Chapter 15 Cisco ASA 5505 Overview 

, erne fi.'cwal! appliance which has sonic Hardwar- 
l i,is chanter is dedicated to the Cisco ASA 550a hrewau -pi aware. 

Licensing and Confiscation differences compared with the other models T he ASA SSOS provide,, 
high-performance and hexiblc upgrade from the older FIX 501 and FIX 506E appliances and is 
despond for small offices or remote branches, fielow we w,h prov.de an overview of the AS AS 505 
appliance and also describe the basic differences of this mode! compared with the other ASA 

devices. 


15.1 ASA 5505 Hardware and Licensing 


15.1.1 Hardware Ports and VLANs 



1 

Power A8VDC 

2 

SSC slot 

3 

Console Port 

4 

Lock Slot 

nr 

Reset Button 

6 

USB 2.0 interfaces 

7 

Network Ports 0-5 fin/lfM) 

8 

Network Ports fr-7 (10/1110 with Power over Ftherontl 
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lik .lhf«*ciCtscoASA models, the ASA 5505hasah,„t,, „ 

"“" kl llloW . k * nl ^ W/l» W i.d lM ,h^ 


il*e 


lifitf* 


e j 


Lin 


^^(rumrifil-ito lelbw-ehave Eihwncto/o up Etht ? 
iy,wtrovcrEthcrne( I’wts (PoE), which means thu Inarfriri ' W“P«ts«aril7»r, 
IPM (or other Po E devices) 

^ Interface* of the ASA SSOS work only 1S t ,7" * ** M POrtS ?h< 
«s htn t .. ™y Hi Layer* ports, Which is the difference of the 

fSOSftom the °‘*er ASA mod*. I Mo mean* that yen cannot configure a Layer 3 if address 
„n each inter face. Instead, yen have to assign the interface port in a VLAN, and then 

II Hi rnuu.nl I _ \ 


directly 


t" v ' - v* "Menace port m a VLAN 

«#<* a Firewall Interface parameters under the interface VLAN command. 

Yd,ran divide the eight physical ports into groups, called VLANs, that function as separate 
jetworits. This enables you to Improve the security of your business because devices in different 
VLANs ran only communicate with each other by passing (he traffic through the firewall appliance 
where relevant security policies can be enforced. Devices in the same VLAN can communicate 
tetwcen them without i-Lrewall control. Your license determines how many active VLANs you can 
have on the ASA 5 SO 5. 


The ASA 55OS conies preconfigured with two VLANs: VLAN l and VLAN2. By default; Ethernet 
switch port 0 (Ethernet 0/0] is allocated to VLAN2. All other switch porta are allocated by default to 
VLANI, 


The factory Default configuration of the network interfaces uses port EthernetO/O as the Outside 
(intrusted interface f connecting to Internet], and the rest of the interfaces (0/1 to 0/7) are 
configured as the trusted Inside Interfaces connecting to Internal hosts. Two Switch Vlan Interlaces 
(SVl) exist by default (Interface Vlan 1 and Interface Vlan 2) which can be used to assign the 
Layer 3 IP addresses and other interface settings for the Outside lone (Ethernet fl/0] and for the 
inside zone (EthernetO/1 to 0/7). The default configuration of the Cisco ASA 5505 will be 
^plained in the next section. 
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IS.1.2 


Licensing 


J o VLANs, you rad create as many at 20 VLANs 

JUtbMl* the ASA 5505 comts preconRguwd with two vi^ ■ > ’"s. 

. create VLANs for die Inside. Outside, and DM2 

depending on your fkmst. F or example, you cou.0 create ^ ^ 

artwork s^nents. Ther* are mo liconM options foi the ASA S50S: 


• Base Li cense' 

* Security Plus Ucen se 


Ease License 

Wife fee Base license, you can configure up to 3 VLANs, thus segmenting your network into three 
security zones (Inside, Outside, DMZ), However there is a communication restriction between 
VLANs (zones}. Communication between the DM2 VLAN and the Inside VLAN is restricted: the 
Inside VLAN is permitted to send traffic to the DM2 VLAN, but the DM2 VLAN is not permitted to 
send traffic to the Inside VLAN. Also, you cannot configure firewail failover redundancy with fee 
Ease License,These limitations are removed with the Security Plus license. 
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i ■! jfjr. 


T» trig* • WW License use the {o[io 

sa SSOS(conng)fl Interface Vlati s ftdB! 

ijSSDS(conflgif)H Ii» forward Interface vlan i 
' a SSOS(conng-lf)W nameif DMZ 
iSP S^S(cOrtllE'lf)« security level SO 
; i4J 5505(cunfig'iOfl Lp address 10 , 2 . 2.1 255*255.255.0 


jj, 5505(tomfig)# interface Vlan t 
asa 5S0S(confiE-if)^ nameif inside 
a $aSS&S[conflfi-if)# security level 100 
asaSSQSfconfig-iOff ip address 192.160.1.1 2S5.25S.25So 


4 isa5505(config) W Interface Vlan 2 

asaSSOSfecrafig-Jf}# nameif outside 

asaSSO5[conFig-1f)# security-level 0 

asa5S05(coufigdf)ft ip address 100.100,100.1 255.25S.2SS.O 


Security Plus License 

This license removes all restrictions of the Base license. Up to 20 VLANs can be configured (ports 
can be configured as Trunk ports thus supporting multiple VLANs per port). Also there are no 
communication restrictions between VLANs. This license supports also Active/Standby (non 
stateful) firewall failover redundancy and Backup ISP Connectivity [Dual ISP connection). 


15.2 ASA 5505 Default Configuration 


I he ASA 5505 is factory configured in such a way as to work right away out of the box. The Internet 
1 Outside Interface (Ethernet 0/0) is configured to obtain IP address automatically from the ISP, and 
the Inside Interfaces (Ethernet 0/1 to 0/7) are configured to provide IP addresses to internal hosts 
dynamically (IJHCP), Specifically, the defa u It ASA 5505 co nfi hu radon includes the following: 

- An inside VLAN 1 interface that includes the Ethernet 0/1 through 0/7 switch ports. The 
VLAN 1 IP address and mask are 192.168.U and 25S.2SS.255 0. 

* An outside VLAN 2 interface that includes the Ethernet D/0 switch port. VLAN 2 derives its 
IP address using DHCP (from the ISP). 

* The default route is also derived from D IK. P, 

* All inside IP addresses are translated when accessing the outside using.nterface PAT. 










the oytsldu, ft ltd outside useri & e P re 


opted from 


* ay defa uk, inslde users c,m access 


to the VLAN l 


wwffdnd 9 1 in£lri>&. 

V 



a PC conneetiiifi 


i.1.254. 

on ^6 1 ^ 2 . 168 , 1-0 network 


Restore the default factory configuration using the configure factory 
The Default Configuration consists of the following command* 


-default, command. 


Restore 


interface Ethernet 0/0 
switchport access via 


vian 2 e Tills assigns EtiiertietO/O to Man 2 


no shutdown 

interface Ethernet 0/1 t 

switchport access vian 1 «- This assigns Elhernetfl/1 to Vian i 

no shutdown 

interface Ethernet 0/2 
switchport access vian 1 
no shutdown 

interface Ethernet 0/3 
switchport access vhn 1 
no shutdown 

interface Ethernet 0/4 
switchport access vian 1 
no shu tdown 

interface Ethernet 0/S 
switchport access vian 1 
no shutdown 

interface Ethernet 0/6 
switchport access vian 1 
no shutdown 

interface Ethernet 0/7 
switchport access vian 1 
no shutdown 

interface vian2 <- Coiifigtire all interface parameters under ‘'interface V!an [nuniher/* 
nameif outside 
no shutdown 

ipaddressdhcp setroute ^-Receive IP dynamically using DHCP from the ISP 
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via" 1 


255-255,285^0 


iw- 168 - L1 

< d ^ioo 

^^vorkobj-a"/ 
dW**" ,j0 

suJj^jp outsLde) dynamic interface 
^ec efia^ e 

h^P^aj 168.1-0 255-255,255,0 inside ^-Allow ASDM access from inside network 


,. A address 192.168.1.5-192.160.1.254 inside 
i; J^ daucq _config outside Obtain IP address dynamically from the LSP 
j 1 od e^bte inside Assign IP addresses dynamically to internal PCs 
^ing 35dm informational 


^vvjCMPfoLtesting 

]f you want to allow ICMP for testing purposes, you need to enable temp inspection as shown below, 

policy-map globaLpolicy 
class inspection-default 
inspect iemp 
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c„ apl „ 16 Complete Co» H8 »™«»" Examp.es 
16.1 ASA 5505 Configuration Examples 

16.1. J ASASSOS Basic Internet Access with 

businesses of small branch offices with 

The ASA S5C 5 (the stnaTest A$A model) »idea! for 5ma Thjs modef CQm es with 8 port 10/108 

approximately 50 internal users {recommended rr.a. * ^ p0rts fttiernetO/1 up to- 0/7 

switch, with port Etheme<0/P used for the PuhUc/Qut ^ ^ ^ m0 del$ Is that its 

fortfc«Iitsidezmie.ThedI&tTO«oft^ model rtmpaff '" flt ^figure EP addresses directly 

noworkpoits acepun Uy «2 wttci. penx. Thi; VWN.xnd >hen 

on the physical interfaces. Instead you have to assign 

. . _. r * viAN comma no. 

configure alt Firewall Interface paomete rs usi ng th e i 

faU.rartoft.KK.'««,««»-.—*-• PAT ' ***" 

on the outside (IOO.I. 1 . 2 J, The Firewall will act also as a DHCP server for assigning IP a resses bo 

inside hosts. 


PAT 



Let's see the complete configuration below. The commands with Bold arc important 
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Ltfuamc ASA-5505 

Amtiu-vrncl^m 

en.ibk 1 passwoiil xmxmxmmx pncryptvd 

names 

1 

i Vim t is assur'dby drLiuU lbi\ill pot Is lilliti nold/t fl/7 which belong to the inside zone. 
Interface V'lmi 1 
namcifUiSldc 
security-level HH> 

ip address 192.161^1.1 25S.25 5*25511 

t 

SVlmi 2 is assigned U» port KlhcrudO/O which belongs to the outside zone. 

Interface Vlau2 
namctfoutsUlc 
security-level 0 

ip address 100.1.1,2 255,25':,255.252 

j 

' Assign KtliO/O tovhu 2, 

interface Ethemelti/O 
switch pert access vfcin 2 
l 


■ By (k'lault, LthO/lto 0/7 aw iisMgned in vlau L Wo need to chanife anyth! no 
Interface Ethernet0/1 

interface Ethermeitl/Z 

Interface ElhcmitO/3 

interface EtiimutO/4 

interface HtlurnelO/S 

i nterface Ethe rit eiO / ft 

interface EthcractQ/7 


hp ni ode passive 

! ^ s server-group Default!) NS 

““triahi-nartie tcstxom 

\ 3111 ACL nil the uittsldc lh.il will allow only ochu-reply for n-mil i 

, ™ lr 1,1 '"K « lln' i'ti'1 tu imimlnr any .ilt,iib< cmnliii; rram nnt.i i B ** 00ti n» n ut .„„ 

““*>-11* ouHI.le.ln rxlcnilKt jimnlt Inn), any a„ y «l,,». r eX lde - h 1 Urpos 

Cc ess-llsi mitsldcjn extended deny Lp muy any log 
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l>ager lints 24 
logging asdm informational 
mtu inside 1500 
mtu outside 1500 

acmp unreachable rate-3irntt 1 burst-size 1 
no asdm history enable 
arp timeout 14400 

t Do PAT using the outside interface address 

object network internal Jan 
subnet 192.160.1,0 255.255.255.0 
mat (inside.oLstside) dynamic interface 

- Apply the ACL created above to the outside interface, 

access-group outsidejn in interface outside 
route outside O,G.O,0 0 , 0 , 0 .I> 100,1X1 1 
timeout xlate 3:00:00 

timeout conn 1:00:00 half-dosed 0:10:00 udp 0:02:00 iemp 0:00:02 
timeout sunrpe 0:10:00 h323 0:05:00 h22S 1:00:00 mgep 0:05:00 mgep-pat 0:05:00 
timeout sip 0:30:00 sip.media 0:02:00 sip-invite 0:03:00 si ^disconnect 0:02:00 
timeout uauth 0:05:00 absolute 

S Configure Local authentication for firewall management (For accessing the Firewall you need In 
!use the use rname/pass word configured later), 

aaa authentication serial console LOCAL 
aaa authentication telnet console LOCAL 
aaa authentication ssh console LOCAL 

no sump-server location 
no snmp-server contact 

Srtmp-server enable traps snmp authentication linkup linkdown colds tart 
! Allow internal hosts to telnet to the device 

telnet 192.168,14) 255,255.255.0 inside 
telnet timeouts 

1 Allow an external management host to ssh from outside for firewall management 

ssh 100,100.100.1 255,255.255,255 outside 
ssh timeouts 
console timeout 0 

! Assign a DNS serv&r to internal hosts 

dhcpd dns 200.200,200.1 
r 

! Assign IP addresses to internal hosts 

dhcpd address 192.168,1,10-192.160,1,40 inside 
dhcpd enable inside 


'Create a Local username and password with administrator privileges 

username admin password secretpass privilege 15 

1 [other com mauds n m Uted J,,,. 


242 









16.12 


ASA 5505 with Dynamic IP Address and DMZ Host 



t] T e DUZ U r L'b Server* This scenario tan work with hath Base License anti Security Plus 
1K cns* However with a Security Plus license the DMZ public server (whatever that be - FTP, 

„ nl ,^U r cb etc) will be able to initiate traffic also to the Inside network zone (with the proper 
^uralion)' Instead of having a web seiner on DMZ, you can use tins scenario also to host a W 
C]]i wx it DVH O'T ® wm Router in the DMZ rone. 

Since we have three security zones, we must create also three VLANs, VLAN1 (inside) will be 
signed to ports EtiicrnctO/2 up to 0/ 7. VLAN 2 (Outside) will be assigned to pos t Ethernet 0/0, 
.itu! VLAN3 (DMZ) will be assigned to Ethernet 0/1. 


Web Server 
100 , 0.10 



\ 



192.168,1.1 OHCP- 

miltic ^d R ^ Me5t 



192.168.1,0/24 


ASA Acts as 
DHCP Client 
on Outsldo 


ASA Act* as 
DHCP Sorvfrr 
on In si do 


^ss« the complete configuration below. The commands with Bold are important 


1 
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rtSA-5505tf show run 
rSaved 

■i 

■i 

1 

hostname ASA-5505 
domai n -na m e test.com 

enable password jo(hkxkxxJ(XXXXXXX encrypted 
names 

j 

interface Vlaitl 
nameif inside 
security-level 100 

ip address 192.160.1.1 255.23S.2Sk0 

r 

interface Vlan2 
n;i meff outside 
security-level ft 

3 Get outside address and default gateway from ISP 

ip address dftep setroute 

i 

■ 

interface Vlan3 

! Use the following command ONLY If you have a 0A5E MCJiNSli 

no forward interface vlan 1 

nameif DMZ 

security-level SO 

ip address 10.0,0.1 25S,2S5<2SS.O 


f Assign Hth0/Q to vlan 2. 

interface EthernctQ/0 
swjlchport access vlan 2 

f 

3 Assign LtliO/l to vlan 3, 

interface Ethernet0/1 
jswjlchporl access vlan 3 

3 The rest are by default assigned vlan t. No need tn change anythin;’. 

interface Ithernet0/2 

f 

interface EthernetO/3 

; 

interface EthernetO/4 
! 

interface EthcmetO/5 
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ji l(i rf**Ett.OTiwtO/6 

ItlU-'inelO/ 7 

L..n«lrpa« ,v * 

DefaoltDNS 


i ci-caU 1 an ACL 0,1 outside that will allow access to the DMZ Web Server, 

f ^s llst outside Jit extended permit tep any best 10.0,0,10 eq BO 
ioce* s *l® st outsUteJii CKlemted deny ip any any log 

p ,ger Hites 

i^idg asdni informational 
Xi^elSQO 
n rtn outside 1500 

nlWE mz isoo 

noasdin history enable 
arp timeout H400 


jOoPATcn the outside and DMZ interfaces For rite inside network 

object network internal Jmi_oiitside 
subnet 192.168,1.0 255.255,255.0 
tuU (Inside,outside) dynamic Interface 

object network internal J a n_d m z 
subnet 192.1GB.L0 255,255 255,0 
nat [inside,DMZ) dynamic interface 


! Create a static redirection for port 80 towards the DMZ web server 

object network vveb_server_static 
host 10-0,0,10 

nat (DMZ.outside) .static interface service tep GO BO 

! Do PAT on the outside for the DMZ web server. This will allow Web Server access to Internet. 

object network dmzJto_putside 
subnet 10,0.0,0 255.255,255.0 
nat [DMZ,outside) dynamic interface 

access-group outside.In in interface outside 

timeout slate 3:00:00 

timeout conn 1:00:00 half-closed 0:10:00 ndp 0:02:00 iemp 0:00:02 
timeout sunrpe 0:10:00 h323 0:05:00 h225 1:00:00 mgep 0:05:00 mgep-pat 0:05:00 
timeout sip 0:30:00 sip.media 0:02:00 sip-invite 0:03:00 sip-disconuect 0:02:00 
timeout uautli 0:05:00 absolute 

! C^flgure Local authentication for firewall management (For accessing the Firewall you need 
■** the usemame/passvvunt configured later). 

•^authentication serial console LOCAL 
^authentication telnet console LOCAL 
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aaa authentication S5h console LOCAt. 


ro smnp^erver location 

no sump-server contact , c „ H ^rion linkup linkdown cok s 

siunp-server enable traps snmp authentication P 

“dw Internal hosts to td.ietto the «dejn« 

telnet 192 . 16*1 0 2 SS. 2 SS.ZSS O .ns i efnenl 

tel net timeout 5 . t s j, f ro m outside for ft rewal in' 

I Allow m extcriMl management host to ssh irom 

ssh lOO lOT lOO-l 2SS.2SS.2SS.JSS «.«■■«« 


S sh timeoutS 

console timeout 0 

dlicpd auto^cemde outside 

! Assign. a DNS server to Interna) hosts 

tlhqid dr s 2002002001 


! Assign IP addresses to internal hosts 

dhcpd address 192.169.1.10192.168.1.40 initio 


{iJicpd enab le i n side 

■ 


1 Configure here the username and password for accessing the rievtce 

username admin password seeretpass priti ege 
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16.1-3 


ASA 5505 with Micrnsoft SItS Server on the Inside 


,'omtnon network scenario that I encounter all the lime is u. have a Cisco ASA 5SQ5 Wl ,rkin s 
' n t Border device and also a Microsoft Small Business Server (SBS)connected to the 
u vN networks This is suitable for small businesses and SOHO environments and ofFers an 
1 elution wi tJi groat features. Althc u &b the he st sol u tio n wou5d bo to h ave the SBS server 

jcon^tn^ 15 

nvi7 to ne instead of dirottly conducted to the internal LAN, hero we assume that wo 
-plated on 3 um 

Bti^rT icensc on ASA 5505 which does notallow DM Z configuration, 

^■eiustatsasi^'v 

requirement is to have alt internal hosts (users’ computers) to browse the Internet and also 
'* aKess from the Internet towards the SOS server. The example below will work for any SBS 
.«a- ;z003.2003.2011 etc). Depending on which services on the SBS you want to allow access 
v, a the Internet, you will need to allow the appropriate ports from the firewall. In our example 
bdow we assume that we have a single static Public IP address (100.1.1.1) configured on the 
M!s tde interface of the ASA. This means that we will need to configure port redirection ASA 

carter to redirect the required traffic to the internal SBS Server (e.g traffic from internet to IP 
MUlj port 80 will be redirected to internal IP I92.1M.1.100 / port 80 (SBS Server). 


r l 

INTERNET 


Tf attic If on) IntomS! to I» rtB 
80.25 «lc- wi 11 b® f ^directed to 


SBS 



100 . 1 . 1.1 

Qutiidfl 


EiriBfTOi CUO 



Microsoft SBS 
192 . 16 - 9 , 1 .ICO 


192 . 16 S- 1.1 

L i 1-nSada 

EtfiemOt tW2: 



192 . 1681 .C /24 


the complete configuration telovfc'The commands with Bold are imp 
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ASA-5505ft show run 
:Saved 

p 

p 

! 

hostname ASA - 5505 
domain*name testcom 

enable password xxxxxxxxxxxxxxxx encrypted 

names 

t 

Interface Vlanl 
rtamcif inside 
security-level 100 

ip address 192,168,1.1 255.255.255.0 
I 

interface Vlan2 
tinmeif outside 
security-level 0 

ip address 100.L1J 255,255,255,252 

! 

1 Assign HthfJ/0 to vlan 2, 

interface Ethernet0/0 
switch port access vlan 2 

! 

! The rest are by default assigned to vlan 1. No need to change anything. 

interface EthcrnetO/1 

l 

Interface Etbernet6/2 

; 

interface EthemetO/3 

f 

interface EthernetO/4 

interface EthernetO/5 
I 

interface EthernetO/6 

r 

Interface Ethemet0/7 

i 

ftp mode passive 

dni ierver-group Default DNS 

domain-name testcom 


! Create an ACL on the W (Side that will allow access to the SBS Server. Modify the ACL below 
'according to which potts you actually need for accessing the SBS server ’ * LL ° 

atce«.JUl outsldeJ" e*tended permit tepa ny hosr 1 M.l684.100 e<i 80 
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i!i=pniitsicte_in extended permit tm 

***?' 1st outsideJ»i emended permit tip au J ho$ lfift| l0 ° *9 2S 

^ list outsidejn extended permit tep a n y *'[ ™ !5!' 1,10lllM i 443 
ac^Jjst (juisiitejn extended deny ipajjy any , 2-160,1400 eq 3300 

3l?C !r l» nt ' 5 

a sdm inform atLonal 

l«*Ci ( le 1500 
“^igeside 1500 
^ 1 ) 1 , 1 % 1S00 

rltl1 J f[1 reacliable rate-limit 1 burst-suse 1 
'“"Ceout 14400 


arp 


p^T on the outside interface 

u.ct network iitternaljan 
DtlJ J ne i I92,l6aid) 255,255.255.1) 

*“t (jnside,outside) dynamic interface 


!ae3 tcstatic pent redirections towards the internal SR5 Server, Mndify thetummand-i Iil-Iow 
( accord Lug wtlich P ar{ir -atrUially need for accessing the SliS server, 

1 Note that ive use tire keyword interface* hecause the mapped IP is ilie am assigned tm lb« 
i 0L1 tside interface, 

□bieft network sbsjserverstattejto 
blast 192.168-1-100 

nal (inside,tmtside} static interface service tep iiO 80 


object network sbs_server_slatie_25 
host 19 2 .168.1+100 

nat (Inside,outside) static interface service top 25 25 


object network sbs_serv€r_slatic„443 
host 192.1634-100 

nat (iiisMe,outside) static interface service tep 443 443 


object network sbs_scrver_statie_3389 
host 192,168JL100 

fiat (insIde t outside] static interface service tep 3389 3389 

[Apply the ACL we have created above to the outside interface 

access gioup outsidejn in interface outside 


ite outside 0.0,0,0 0.0*0.0 100,1.1-2 1 

eoutxlate 3:00:00 nanm 

eoutconn ^j23(^os-00 

"ucauu^" for firewall n^^ment [For arsine the Firewall y-u ~d 
?the username/password con figged, kitei )■ 
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naannthentloiUon scri.il fottsnle I.QCAL 
an:i miih cullen l Ion leliirt turnsole I.Oi.At 
nan niillicnilmUaii ssli console LOCAL 
jio .minip-XFj’vtT lucLitian 
no snmp-ft'i Vlt contact 
sii iii |>-serwr o-HliIi 1g t ra| is m i i i i p udic-i lt iCil 1 ' on 
! A Mow inli.Til.il ItiUHS In Inhiet 1,1 tlltf device 
inliifi 19Z<1*I1 l.tJ25S,Z5S.25S.O Imitle 


linkup llnkctown tfddstBrt 


Ictllvt lljllpfuil S 

J Allow .in psii’in.il iiiuiukl’usphI 

ssU 1001 (HU 00,1 2S5.25S.aS5.JSS outside 




Hsll tij 111 L'i.lLI E 5 

runsota timeout 0 

I Assign .i l)NS server to internal hosts 
dhcpd dili 200.200.2(H). 1 

i 

! AsMrii IP add resses to internal hosts 

dhepd oddness m.lftl.1.20-4M.16&.1.50 inside 
dhepd enable | cis I (If! 


!|sfumv minmiuids (nniited| 


! Ctuiiijiure here Use Username und password tor accessing the device 

■■sern li me admin password srETcIpass privilege IS 








16.1.4 ASA 5505 with PPPoE Internet A 


ccess 


Foe 


0rta db 3 rd DSL or Cable access connectivity, many tSP s prov.de Poltlt (0 Po|nt „„„ 
_ as will be described in this examnip^^. ,^ n 


- - ^^vmnurQjntoverEth. 
(PPfeE) access, as will e escribed .nthis example scenario. If the ESP supplies you with a 

|/pass wo, d for internet access, this means the, you need to configure your ASA as PPPoE 
St often, in this setup the 3SP provides vql also with "j .c.L T ■ _ _ 


|giei T [^ |T|Eji 


i^er if0 " figure your AS A as PPPoE 

diene M<J« often, in this setup the ISP provides you also with a Modem which will bridge the DSL 
*rtable connectivity between the Customer Premises Equipment {ASA 5505 in our case) and the 
ISP equipment- In the following typical environment the ISP is providing Public IP address to the 
AS A via PPPflG' 


PPPoE 



192.16011 

Inside 

EHPemetflrl 


DHCP _ 



A5A Acts as 
PPPof Client 
f&fthnISP 


ASA Act* tt 
DHCP S-ervBT 
on InilPc 


192163.10^4 


Lefs See the complete configuration below, The commands vvs 1.1 l Bold are important. 
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A5 A-5 5 05# show run 
; Saved 
r 

hostname ASA -5 SO 5 
domain-name test.com 

enable password xxxX^xxXXXKtXXX encrypted 


nomas 

3 vlan 1 Is assigned by default to all ports Etherm, tb/ it/ 

Interlace Via ill 

namei fins Erie 

sccurltylevel 100 

Ip address 102.. 168.1-1 2-55-255-25-5-0 


which belong to the inside wre. 


! Vlan 2 is assigned to port Ethemebb/O which belongs to t lc o - 

interface Via m2 
namelf outside 


sdeurJty-tevetO ^~™t.n F ATT 

! Configure this VLAN as Pl’PnE Client and associate the pppoe P 

pppne client vpdll group ATT 
ip address pppoe setrqute 


! Assign EthO/O to v|an 2. 
interface Ether nctO/O 
SwUehport access v]ar» 2 

! By default, EthO/1 to 0/7 are assigned to vlan 1. No need to change anything. 
Interface EthernetG/1 

t 

Interface EthemctD/2 
I 

interface EthernetO/3. 


interface EthernetO/4 

5 

interface EthernctQ/5 


interface EthernciQ/6 
1 

interface EthemeiO/7 

i 

ii 

ftp mode passive 

dns server-group DefaultDNS 

domain-name test-com 



jssdf timei 


'Seflcreate 

group 

ffcpwP 

fiijioup 

jdtusErtU 

: s*naDN 

tyddiisZl 

> 

^3Ps[ 

i 

i 

i 

i 
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1 , ..pan ACL on the outside tluit will allaw ^ 

• t f[ with Jog -it the end to monitor any ait u-i<« 1 lLVr| T y hw UunlVlisIhHU Wi& puirp.inrs. a 

■■ !->‘ 0 „isldejn extended nern.ltwL„ “" ,0 * ll >"" "uttUlr. 

i S*o« —- 2?!ESW ed ' ,>top ' y 

]i nos 24 

: J1 , ijnj . asdm informaimnal 

■ W 1 500 

s ^ , nfiiaiire the outside Ml U as 1492 jlnce them it -*n „ 

1 *' pytside 14^2 110X1 m ^ b l’ u ' ^rrliead tor HTuK 

j"!’. 1 'unreachable rate-limit 1 burst-stee 1 
;;; timeout 14400 

L no I’AT using the outside interface address 

. ■ 1 network Internal Jan 

” Subnet 192168.1.0 2S5.2SS.2S5.0 
„.,i (inslde^otitside) dynamic Interface 

access-group oulsftfejn in Interface outside 

timeout xlate 3t00:QQ 

^rneoutconn 1:00:DO half-closed 0:10:00 udp 0:02:00 iemp 0:00:02 

Mnieout su nr pc 0:10:00 h323 0:05:00 h 22 S 1:00:00 mgep 0:05:00 nigeprmt 0:05:00 

timeout Stp 0:30:00 sipjnedia 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 
timeout uautli 0:05:00 absolute 

[Configure Local authentication for firewall management (For accessing the Firewall yon need to 
!usc the usern ame/password configured later). 

■i:ia authentication serial console LOCAL 
Linn authentication telnet console LOCAL 
aim au the lit i cation ssh console LOCAL 

]io sniup server location 
no sump-server contact 

jnnip^erver enable traps snmp authentication linkup hnkdmvn caldstan 
i Allow internal hosts to telnet to the device 

icliiet 192-168.1.0 255.255,255.0 inside 
telnet timeout 5 

! Allow an external management host to ssb from outside for firewall management 

vsh 100.100,100-1 255,255.255.255 outside 

ssb .timeouts 
console timeout Q 

! create the "ATT" pppoc group with the 3SP connection details 

vpdn croup ATT request dial out pppoe 

Zin group ATT localname (ENTER ISP USERNAME HERE] 

. rail, ci ..up ATT ppp authentication chap [or PAP, depends on your ISP settings] 
vpdn username (ENTER ISP USERNAME HERE] password (ENTER ISP PASSWORD HERE} 

i Assign a DNS server to internal hosts 
dhrpd dns 200*200.200.1 

I 

J Assign IP addresses to internal hosts 
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.,,0 i 4(1 

dhcpdadd»«J92.i60l.lO ty JJ 6 

dhtpd enable En «J dc lhe device 

j ^ f^F ifcC'Ct'H-Jt I life 

' Configure here the iweri'""* ‘ '' s privilege flS 

uHTDHnie admin p aSS w^d secrelp^S F 
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j6.2 asa vpn Conngiii-iuioH lixtimplcs 




U jlsxlc 


ERNET 


instd* 


OuLsidJ 


J6.2.1 llub-iiiul-S|HiUe IVSet Vi'N wlt|» Dynamic IP Spoke 

s fs3 v*y ^ mrt,on * ,ld U5tful SCc,,arlu ^hiriiymi tan my u it to a M^r number of Spokes 


■ ^^dJr»S on >^ U,J m ' twm k IO|P " ,W Many Uiilei pri*ei iwiully haw y LfgCcntral site (HUB) which 
; da*® rcSO,,rireS Wil ' 1 St?VOni1 rc,nDl * ^fondiiM (SP0KR5). Yon can build a WAN data network 

c,i:ntlld atld * [| Jl1t - 5 ^ te!1 u; dii|i dedicated Communication Jin** (very expensive) or 
! ^ can BSC che-^p 1 nwmel connect I vl ty to bn I Id a prJ vale IPSEC I rub-anil-Spok# VPN, as 1 llustrafed 
PU the esampl^ ,ietwo ‘ 1( ,K ‘ ,ow - 1 he central Ihib site and one Spoke site have static IP addresses, 

die second Spoke site lias Dynamic II s address, To setup our Hub-arid Spoke VPN, we need 
0 create two Sitfi’to-Site IPSEC VPN tunnels between Central - Bronchi and Central - Brencb2. 

Ndtc that this example uses the traditional IK Hoi IPSEC, 


LAN'2 

A.SA'2 192,168 20/24 
Static Spoke 


Hub and Spoke 
IPSEC VPN 


Oulitda 

3Q.3A30.2 


LAW-1 


ASA-1 

HUB 


inside. 


GE1 


192J6B.fO/24 


InSkw 


GE 1 


GEO 


IPSEC 

Sile-to-Silo 

VPM 


ZO.2O.20.2 


IPSEC 

Slle-lo-Sita 

VPN 


Dynamic !P 


ASA-3 

Dynamic Spoke 


192.168,3,0/24 
LAN-3 


255 






















Let's see the complete configuration 


below. The caintn 


and® wUliUuU^ 


important 


ASA-1 mum 

ho;ti]am« ASA1 , 

enable password aRy2YjEyt7KEtfU24 encrypted 
passwd ZKFQnbN Idl.ZKVOtJ encrypted 
names 

j 

i ii terface C iga bit EthernelO 
namcJf outside 
security- level 0 

ip address 20,20 30.2 255,255.255 0 
I 

interface Gigabit tithe rnetl 
name if inside 
security-level LOO 

ip address 192.168,1,1 255.255.255,0 

t 

ftp mode passive 

ICreate objects with all local and remote LAN subnets 

object network obj-local 
subnet 192360X0 255-255.255,0 
object network obj-remotel 
subnet 192.160.2.0 255.255,255,0 
object ne twork obj - rent ote2 
subnet 192,1683.0 255,255355,0 
object network, internal-Ian 
subnet 192,160,1.0 255.255,255,0 

access-list outsidejn extended permit icnipany any echo-reply 
access-list OUtSidejD extended deny ip any any log 

J Select the Interesting Traffic to be encrypted 

access-list VPN-ACL1 extended permit ip 192-160-1.0 255,255.255,0 192.168,2,0 
255.255.255.0 

access-list VFN-ACL2 extended permit ip 192-160-1,0 255,255.255.0 192.1653.0 

255.255,255.0 

pager lines 24 

mtu outside 1500 

mtu inside 1500 

icmp unreachable rate-limit 1 hurst-size I 
no asdm h istory e nab I e 
arp timeout 14400 














fryplo ihcvj (Agble outside 

CryptO JkcVl policy to 

authentication pre-sh a re 

encryption 3dcs 

hush sh.i 

gro li p 2 

lifetime 86450 

telnet timeout 5 

ssh timeout S 

console timeout 0 

ihreiit-deteelism baiic-thrcat 

threat-detection sta tistics accesS-Ust 

in) threat 'detection statistics tep-intercept 

!Tlw following tunnd group { DtfauttL .2 tGroup) for ** 

tunnel-group DefauliLZiCruup Ipswattributes 
ikevl p re-shared-key-secrftlceyi 

ITIte following runnel group (30,30-50.2) is used for ili^ ^ 

tunnel group 30-30 30.2 type Ipsec 121 
tunnel-jgrciup 30.30,35.2 Ipset-ittributei 
ikevl pre-3 hared-key secretkeyl 

i 

; 

username ad mill password secretpas 5 privilege IS 

! (other commands omitted) 


ASjV£ (Static IP Stroke! 

hostname ASA2 

enable password 6Jty2 Yjlyt7RRXU24 encrypted 
passwd 2KFt]nbNldl.2KYOU encrypted 
Mines 

i 

interface GlgabllEthemetO 
name if outside 
security-level 0 

Ip address 30.30.30.2 235,255,255-0 

I 

interface Gi^hitQlicnKiLl 
narncEf Inside 
security-level 100 

ip address 192,lfiH.2,l 255.255.255.0 

; 

ftp mode passive 
















t with all local and mmole LAN subnets 
r^ L ’° Lorh" b l !otal 

>"f«"^- 20:i5S - 255 - 2SSO 

,uM ct J ?' n rk. obj remote 


jS'5iT«Vl.0 Z S 5.2 S S. 2S 5.0 

sS*** 1 eS>rk I" terns Man 
s . .,.t ue tvv ,^ .wi 7cti 7 ^ 


“ t ’ l '1cl^ l6a2 '° ZS52S5MS0 


Slit" 


list ' - T -’ J an 

i outsidejn extended deny ip any any log 

1 Tfc* Hi r'tn. n mi ; _ i. _ .1 


Otttside-tn extended permit icmp any any echo . r „ n 

■ in AvtendAd dpnv m nH .„ i_ r J 


|C li»st dUtS! l WC_«* j 

iCt^ 5 , [jiteresting Traffic to be encrypted 
!S' IC ^ Jut VfN-ACL extended permit ip 192.16B.2dt 25S.2S5.ZS5.0192 16(110 

^255.255.0 

^ lines 2* 

"Outside 1500 

^SfiidelSOO 

rnt*J-1' 1 - clia ble rate-limit 1 burst-size I 

*5££-y«* 

14400 

ot translate VPN Traffic 

i |jtiside,u uts i ( ® e ] source ' stat i c obj-local obj-local destination slatie obj>remote obi-remote 


’ vaX for the i nte r nal LAN using AS A outside interface 

T,L* notworK internal-law 


ixhi^ct nerwoi * l||lcl 

nat (inside,o»ts‘ de ) dynamic interface 


croup outsidejn in interface outside 
le outside 0.0.0.0 O.U.O.O 30.30.30.11 

^iZ I'ooioo half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 

1-miruc 010-00 H323 0:05:00 h22S 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 
! ™ L 0 30-00 sip media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 
>outsip-provisional"media 0:02:00 uauth 0:05:00 absolute 
■out tcp-proxy-reassembly 0:01:00 

■out floating-conn 0:00:00 

a m ic access-pol Icy-re co rd DfltAccessPohcy 

-identity default-domain LOCAL 
nmp-server location 

p^me^emible tramps snmp authentication linkup linkdnwn coldstart warmstart 

authentication ssh console LOCAL 
authentication serial console LOCAL 
authentication telnet console LOCAL 

*,»» 2 ™*.» - a ; 

»o ipsec ikevl transform-set TBSET esp 


2S9 


!Cr<Mte a main crypto map for theJv : "" c vpWaCL 
crypto map VPN MAP S match ^dres- _ 

crypta map VPNMAP S set P Ler .*^mm s« tRSET 
crypto mapVPNMAP 5 set ikevi 
crypto map VHNMAP interface outs-Je 


!Configure and enable the Phase 1 isakmp 

crypto isakmp identity address 
crypto ikevl enable outside 

crypto ikevl policy 10 
authentication pre-share 
encryption 3des 
hash sha 
group 2 

lifetime S6400 

telnet timeout 5 

jsh timeout.': 

console timeout 0 

threat-detection basic-threat 

threat-detection statistics access-list 

no threat-detection statistics tep-intercept 


ITunnd group with the central Huh site 

tunnel-group 20.2&.20-2 type ipsec-!2l 
tunnel -group 20.2 0.20,2 ipsec-attri h u t es 

ikevl pre-shared-key secretkeyl 

■ 

i 

user name admin password secretpass privilege l j 


!|other commands omitted] 


ASA-3 (Dynamic IP Spoke] 

hostname ASA3 

enable password 0Ry2Yj[yt7REXU24 encrypted 
pas swd 2K FQ nbN id! 2 KY0 U e nciypted 

names 

r 

!Outside Interface receives a dynamic IP address using DHCP from the ISP 

interface GigabitEthernetO 
name if outside 
security-level 0 
ip address dhep set route 

! 
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i- c e GigabitEthcrnetl 
^ r1 L-Icvd 100 

^JneiS 192.1603.1 2S5.2SS.2S5.0 

ipa ddl ' 


objects withal! total and remote LAN subnets 

:K. tW rt obi-local 

o^ t , 92.1683.0 2S5.25S.25S.0 
*£* network obi-remote 

° b Hnei 192.168.1*0 25S.255.255.G 
sU - \- f network Internal-lan 

sX et 192 i6B3 ’° 2SSl2S5 - 2SS 0 


1 (cesS'lhE° u ^^ e “' n extended permit ieiop any any echo-reply 
]ccess'list outside_in extended deny ip any any log 


ijeLectVPN traffic 

rress-Mst VPN ACL extended permit ip 192.16B 3.0 2S5.2S5.255.0 192.168.1.0 

255.2SS.256.0 

piiger lines 24 
nttu outside IS00 

pjiu irsiOc 1500 

iemp unreachable rate'limit 1 burst-size 1 
noasdm history enable 
ar p timeout 14400 


,=E [inside outside) source static obj-loca! obj-local destination static obj-remote obi-remote 

Do PAT for tire internal LAN using ASA outside interface 

abject network internal-lan 
ml [inside,outside} dynamic interface 
K'cess-gl'oup outsidejn in interface outside 

ss^s^^s—aaar-*”" 

Sroeoutsip-provisional-media 0.02.00 uautn 
jmeouttqi-prcxy-reassembly 0-01.0 
imeoJt floating'conn 0:00:00 . 

iynarnj c-access-pol icy-reco rd Dfi^ccessP 
jser-identity default-domain local 

io sump-server location 
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aaa authentication ssh consol* 1 tOCAL 
aaa authentfclUtfit wrial console LOCAL 
aaa a li then (tea lion lei net consol* LOCAL 

, „ authentication protocols. 

! to* »Muw 2 «rt jJesttP'i^S-Wim! 

crypto ipsec Ikevl transform-*** TRSt i P 


iConfltfprtfa hum ctyptu mapwith too■ , 

CQ-pisj map lTNtf AP 5 match address ^ PN-ACb 
crypto map VPM MAP S set p«r 2 0,20.2 0-2 
crypto map YPNftlAP 5 set ikev l transform^™* 
crypto map YPNUAP interface outside 


IConflptrr and enable the Phase l isakinp policy 

crypto liakmp identity address 
crypto ikevl enable outside 
crypto ikevl policy 10 
authentication pre-share 
encryption. 3des 
hash sha 
group 2 
lifetime E36400 
telnet timeout § 
ssh timeout 5 
console timeout 0 
threat’detecticm basic-threat 
threat-detection statistics access-list 
no threat-detection statistfes tep-intercept 


STunnel group with the central Nub site 

tunnel-group 20.20.20,2 type ipset>12] 
tunnel-group 20.20.20.2 ip sec-attributes 
ikevl pre-shared-key secretkey2 

i 

j 

username admin password seeretpass privilege IS 


pother commands omitted) 
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16.23- Slte-to-Site IKEv2 tPSc, VI'N U vlvti . v „ , w<1 


ASA 


,KBvl 1PSEC VPN has seen 1.bn,,,,... .yt ,„. roll11w ,, otilte _ 

1,14 [C VPNi Its *<—■■ IKEvZ 1 ' hni sta "''' 1 * Wk»H( |<UHItlMtntu the VPN networking 

now we are >" »transitional sta E e where maiiy mlnvrltM Bit-lmplenwnttne IKEvi 
-^ile they sttH have !«s*y tunnels nsln R IKBv 1 If Slit hi Hut ctrtAgurrtm, nampl* W5 have 
, lreiva il 5 with slte-tO’Site VPN using the n#w IKEv2IPSKC kUhhImiL 




LANaJ 


ll.t 
192463,11,0*24 


LAN-1 


IPSEC VPN 
with )KEv2 


Inside 


ASA-1 


ean 


100.1 (W4M.1 


10,1 

192 '^ 68 . 10 . 0*24 


IPSEC 

SStt40‘SitiS 

VPN 


lets see the complete configuration below, the commands with Bold are important. 
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8RyJV|lyl7RMUJ4 cnttyt'inl 
paswd 2KFqnWHdl.Z*V0U imtryiiU'J 
names 
! 

interlace GEgabitElhemeUi 
nameif outside 
Sffurllylevcl 0 

Ip address 100400. 100.1 ^SJ,Z5S.25S‘t) 

3 

imcrfjft GEgabitEthcrne 11 
n.imcif inside 
serurily-lcvrl 100 

ip address 192468.10.254 ZSS-255,ZS5-0 


interface Giftabrt Ethernet 2 
shutdown 
no nameif 
no securicydevet 
no ip address 

I 

Interface GtgjibnElJierTietd 

shutdown 

noiumeif 

no semntydeve] 

itn ip address 

f 

interface GigabitEtJit , rnct4 

shutdown 

nonameif 

no security-lcve! 

no ip address 

! 

Interface Gigabit Ethernets 
shutdown 
no nameif 
no securitydevtl 
nofp address 

■ 

ftp mode passive 

ICrrate nefu orilt objects for the local and remote subnets 

object network obj-local 
subnet 192468.10.0 255-255,255-0 












f llft work ob) rcmotc 

olfl cCl O 255.2S5.253 j> 

s» b *V c network liitemal-laih 

j 9Z , |6Rf Cl .0 2 55.255.255.1) 


!>«"•'* kmp any imy tcto-repiy 

! 1 [i'esS'^ <IBts MleinIertJeny i|| Lilly ;iny I 

rne I fjV inlercstituj traffic with cm ACL 

Sss-llst VPN ACL extended permit Ip J9l.168.tOJ) 2S5JS&2SS4) 192 . 16 fl.ll _0 

JSS.2SS.2S5.0 

„ a rcr lin^ 24 
PfeuBidelSOO 
* lu inside 1500 

!" ^reachable rate-limit 1 burst-size 1 
lidm history enable 
ar p timeout 14400 

tfiATExemption far VP/tf traffic 

na t(iiiside f outsideTi source static obj-local obj-Local destination static obj-remoteobj-rennote 

iPATfar the inside network 

object network i intern aMan 

nat £inslde # outsitle) dynamic interface 

access-group outsideJn in interface outside 

„i e outside 0.0.0.0 0.0.0.0 100.100.100.2 1 

timeout xlate 3:00:00 

timeout conn 1:00:00 half'dosed 0:10:00 udp 0:02:00 tamp 0:00:02 
timeoutsunrpe 0:10:00 h323 0:0S:00 h225 1:00:00 mgep 0:05:00 mgep-pat 0:05:00 
timeout sip 0:30:00 sipjmdia 0:02:00 sip-invite 0:03:00 sip disconnect 0:02:00 
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute 
tim eout tep -p roxy-reassembly 0:01:00 

timeout fluating-conn 0:00:00 

tlyna mic-access-pol i ey-rece rd D fltAccess Poli cy 
user-identity default-do main LOCAL 
no sump-server location 

^^able^ps snmp aurt^totidnliakup liflkdow,, colder! — 

’Create !KF.v2 IPSEC Proposal 

crypto ipsec ikevZ ipsec-proposal IKEvZ-AES-SHA 

protocol esp encryption aes 
protocol esp integrity slia-1 

ftm*. crypto map ) »,nd S 

c[ yp ,0 map outsiM 1 

crypto map outSidejTiap 1 set 1 r 




Jn^c-Dropo^ IKEV2-AES-SHA 

eryptg map Dutside.map ^ set rhevit P- 
crypto map oMtsiife_map interface olhs c 


!1KEv 2 policy (simitar to Ffra ie I in ikevl) 

crypto 1kev2 policy l 
encryption aes-3des 
Integrity sha md5 
group 2 
prf sha 

lifetime seconds 864HO 
crypto ilkev2 enuhle outside 
telnet timeout 5 
ssh Timeout 5 
console timeout 0 
rh neat-detection basic-thfeat 
threat-detection statistics access-list 
no threat-detection statistics tep-intercept 

fAllow ikevZ &$ lunneiprotocol 

gron p -pg licy G roupPol icy i i nternal 
group-policy GroupPoiicyl attributes 
vpp-tunnei-protocol ikev2 
tunnel-group 200/200.2DO.l type ipsec-lil 
tunnel-group 200.200-200.1! general-attributes 
do fa ult-gro up-pol icy G roup Pol icy l 

!Define both <j heal amt remote preshared keys. They must be reverse on the other site 

tunnel-group 200,200,200,1 ipsec-at tributes 
ikev2 remote-authentication pre-shared-key ciscol 
ikcv2 local-authentication preshared-key cisco 12 34 

! 

r 

[other commands omitted] 


ASA-2 


hostname ASA-2 

enable password 8Ry2Yj!yt7RRXU24 encrypted 
passwd 2KFQnbNld],2KYOU encrypted 
names 
r 

interface GlgabltEthernetO 
naiueif outside 
security-level Q 

ip address 200.2002200.1 255.255.255.0 




itFthernctl 


F 168.11.254 255.255,2 5 5.0 

[ n t <? r/aceGigaljltEthemet2 

S (lLjt(j0^H 

notiarneif 
n0 security-level 

„0 ip address 

interface GigabitEtlieniet3 

shutdown 

n u nameif 

no security-level 

no ip address 

! . . 

interface GigabLtEthernet4 

shutdown 
no named 
no security-level 
no ip address 

[ 

interface G iga b itEtb erne t$ 

shutdown 

no itameif 

no security-level 

no ip address 

[ 

Ftp mode passive 

Wreate network objects for the local and remote subnets 

object network obj- local 

subnet 192.168.11.0 255-255-255,0 

object network obj-remote 

subnet 192.168.10,0 255,255,255.0 

object network internal-!an 

subnet 192.168,1 1.0 255,255.255.0 

access-list out$ideJn extended permit iemp any any echo-reply 
access-list outsidejn extended deny ip any any log 

define VPN interesting traffic with an ACL 

afcess-listVPN-ACL extended permit ip 192*168,11.0 255,255.255.0 192.16810-0 
255,255.255.0 

E^g*r lines 24 
tofu outside 1500 
Inside 1SOO 

lctnp uriTi eachable rate-limit 1 burst-size 1 


Interface Cifiah 
InndilrcssJ^a 
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Wfljdm histaryfiublt 
lip timeout 14400 

, f ,i c oh l-remote ub}- 

!SATEy'.np<«>»l»r IP.T traffic ob |-toral dastlnallo'^ • 

tuh (tnstd*.outside) source static ob/ loral o 

! 

} PAT for the inside network 

object network Ente rnal-lan 

is;iC(lnatd«.outsidf]l dynamic mleri 

afr«s-Rn>«poil(sittt*.in ill int ^* i 

rou te ouCaEOeO.0,0-0 0,0 0.0 200.200.200- 

timeout state 3:00:00 ..Hn 1102:00 itmp 0^0:02 

timeout conn 1:00:00 tiatf-dosed 0rt0:«' % nJgCp 0:05; 00 "^PP P^ 05 00 

timeoyt sumTJC 0:10:00 hS23 0:05:00 t)’03"00 iiP'dl® c ° nneCt 

timeout Slip 0:30:00 sip.m«lLa <b 0 * 0 O< 

tfmeoutsip-provteim.aMnedia 0:02:00 utuLth 0.05.00 

ti meout rcp-prasy-reassemhly 0:01:00 

timeout floating-conn 0:00:00 

dynamic-accesS'pollcy-re^ord DHtAccessPolicy 

user-identity default-domain LOCAL 

no snmp-server location 

no snmp-seiver contact ^ Un j<dDwn midstart warm start 

snmp-server enable traps snmp autlientacat i* n P 


ICreate /MV2 IPEEC Proposal 

crypto ipsecikev 2 ipsec-proposal 1 KEV 2-AES'S r 
protocol esp encryption a« 
protocolesp integrity sha-1 


!mnin ciypto map which binds severe! ipsec settings together 

crypto map outsldejnap l match address VPN-ACL 
ciy-pto map outside_map 1 set peer 100-100.100.1 
crypto map cutsidejiiap i set Ikev 2 ipsec-propo^ti I v 
crypto map outsictejmap interface outside 


UKEvZ policy (similar to Phase t inikevl) 

crypto ikev2 policy 1 
encryption aesSdes 
Integrity sha mdS 
group 2 
prf sha 

I Jfe ti m e seconds 864 0 0 
crypto ikev 2 enable outside 
telnet timeouts 
ssb timeouts 
console timeout 0 
threat-detection basic-threat 
threat-detection statistics access-list 
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t ^ et eC&w statistics tcp intercept 

i as linnet protocol 

*■ ,A ‘ croupPolirv* (tile trial 


^P^f'.vGrOiipPol^y 1 attributes 

>rP*'£ p roto™i 1^*2 

V 1 UJP I00-I00- 10 ®^ type lpaec-»2( 

^rtup 10°-i00.100J cctLeral ^mrlbutet 

tM^l?Irt»up-po*^ CfOU P pflllc y 1 

* a local amt rcnwte pre s h a red keys. Jh e ^ _ 

up JO0.100.100.1 ip sec-attributes ***”** Qn the other site 

rtmotc--authentication preshared-key dscotZH 
i^J^jl-authenlicatlo 11 pre-ska red-key d SC oi 


; , vrf ammands omitted! 
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, VPN with 1KEH, IKEV2 a .»d SSL on the 
16,2,3 Remote Accesi VPN wim 

same ASA Device 

... h a dprfce that support 3lmosl 3,1 ^ »1 

After conjuring the ASA In this sceumwy°« WJ 1 fitau we w iLI configure the ASA to 

remote access VPN technologies 5Uppralvd by Cisco 
accommodate remote access VPNS using the legacy . 

and aCj o SSL VPNs ' The r,rSt VPN t |KC - v 1 IK _ j 1 i [KSv 2 anti SSL VPN) will work with the 
Installed «. the«-rtThe other .we W>“’ ' ^ tl , scrlb ed In the main 

new Anyeonnect Secure MnbilEcy Client(version 3,* and above.], • 


iKEv l ]psEC VPN, the new IKSvZ IPSEC VPN 
tine Cisco VPN client software 


ASA bank, 


SSL User 
With Anyconnect 



Remote Access 

Corporate LAN IKEvI, IKEvfi, SSL VPN 


With Anyconnecl 


IKEvI User 
With Cisco VPN Client 


l& 2 . 16 a.?.CW 24 


ASAAijIgrig JP 
Addf«j from 
Range 

iS2.i6$.jp.i-2n 


The following con figuration has several pre-requisite settings that need to be in place in order to 
work. Specifically you need to create an Anyconnect XML Profile for the [KEvZ VPN as we have 
described in the main booh. Optionally you can have also an XML Profile for the SSL VPN tunnel. 
These XML profiles must tie created and copied to the flash of the ASA, Also, you must create USA 
keys in order to generate a setf-signed ASA certificate for the IKEv 2 VPN (as we have described 
before). You can have also certificates signed from a third party CA instead of self-signed. Lets see 
th e comp I etc configure ti on bel ow: 

























, wportanl to configure a hostname ancl u 

ittt ; e vpnasa n """ic 

** ime mycompany.com 

, ssw0 rcl BKyZYj lyt7RRXU24 encrypted 
fnabk (j 2KF-Q nhNldl2K¥0lJ enc rypicd 

■]3- 

>** 




f.ccGigatjitEtherne'O 
ipten® 1 .j- 


il ’ 1 ...ifoutsidc 
^jtv-level 0 


se^^ s s20.Z°.20.2 2SS.2SS.ZS5.0 


! tcrf8 ce GigabitEthernetl 

‘-S5S5«. 

? ddress 192.168.1-1 255.25S.2S5-0 

ip 




commands omitted] 


' . „ nrt ant to have correct dock settings and time-zone 

Ills ttnp REST 2 

clock llin ^ L ^. time EEDT recurring last Sun Mar 3:00 last Sun Oct 4;00 

^server-group DefaultDNS 
domain -name mycompany.com 


, CreBte network objects far the local LAN and for the VPN pool 

rthiect network objr local 
subnet 192.16G.l-0 2SS,255.255.0 
obiect network obj-vpnpool 
subnet 192.168.20.0 255.255.255.0 
object network FOB.PAT 
subnet 192.168.1.0 255.255.255.0 


'.split-tunnel ACL to enable spirt tunneling feature ,255.255.0 

access-list split-tunnel standard permit 192.168.1.0 255.2 

pager lines 24 
mtu outside 1500 
mtu inside 1500 


iemp unreachable rate-limit 1 burst-si?e 1 
no asdm history enable 
arp timeout 14400 


Configuration for the internal LAN f ■ „ 

11a t (inside.outside] source dynamic F0R_P in 


i 
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INAT Sumption for the VPN traffic ,.idestli»a«" <w ,| «« lb| '*» ,, P a * 1 

(InjIdbOHttldt) source sialic ulX-local 
vpnpnol no-pra^^an) foulc-lpnJt«| s 

route outside tf, 0.0.0 0,0-0 0 20-20,20-1 1 

timeout shite 3:00:00 A __ , lia 

timeout-ronrl 1:00:00 ha I f-Closed 0:1O “ d P'p Jo5:0 0 m«cP’pat °:Q$ :00 

timeout sunrpe 0:10:00 Ii3Z3 0:05:00 h22h . ■ gjo-disconnect 0:02:00 

tbucemsip0:30:00sipjneaia 0:03:00sIP' 1 """ 

OmeoutsEp-Rroeisioi-hal-medib 0:02:00 uautb l.■ 

timeout tcp-prexy-re assembly 0:01:00 

timeout floating-cann 0:00:00 

dyna mioaecess-putecy- record DfltAccessPol i cy 

user-identity default-domain LOCAL 

http redirect outside SO 

no snmp-server location 

no snmp-server contact „ ,, m iHstart warmstart 

snm p-se n^er enable traps sn rnp a uihentication II nitu p I m k( o 


!PhaseZ IPSEC Configuration for IKEvt . mac 

crypto Epsee Ikevl transform-set IKEvl-TS esp-Sdes esp-s '* 

UPSEC Proposal (Pit ase2) Configuration for lK£v2 

crypto tpsec Ikev2 ipsec-propusal AES-3DES 
pi'otoeo] exp encryption aes Sties 
protocol esp integrity sha-J, mdS 

! Create Dynamic Crypto maps far IKEvl and lKEv'2 

crypto dynamic-map DYN„MAF 5 set ikevl transform-set JKFv l-TS 
crypto dynamic-map !)VN_MAP 10 set ikev2 ip sec-proposal AES'3i>FS 


!Attach the dynamic crypto map above to a static crypto map 

crypto map OLITSIlJE_MAP 10 Ipsec-isakmp dynamic DYN_MAP 
crypto map OUTSEDE.MAF interlace outside 

iTftis is the Trustpoint for the seif-signedcertificate 

crypto ca t ms (point SELF-TP 
enrollment self 

s u b jeet-name CN=vp nasa. my com pany.cu m 
key pair rsakeys 
crl configure 

JThc following is created mdomaticaily when you generate the self-signed certificate 
crypto ca certificate chain SELF-TE 3 
certificate 262396S2 

30820100820166 aQQ 30201 02020426 23965230 Od 06 O 92 a 864886 f 7 OdOlOlOS 
05003044 311 d 301 b 0603 S 504 03131476 706 e 6173 612 e 6 d 79 636 f 6 d ?0 616 e 792 e 
636 f 6 d 3 l 23302106 092 a 864386 f 70 dGl 09021614 76706 e 6 l 73612 e 6 d 79636 f 6 d 
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,„, e 636f6d 30lEl70d 31333131 32373137 32353231 5al70d33 33313137 
3532315a 304431 id 301b0603 55049313 14767066 6173612 b 
, 7 92 <? 636 f 6d3 12330 2106092a B64ft86f7 0dU109U2 16147670 6 e 6 l 73 M 
S7« 6 2S 6f6d706l 6*792*63 Sf6d3001 9BO0d06 092^648 86f70d0l OlOlOSQO 
303l 3 ^ 02 8l8100 ® e ac «3766 bb7b5d&0 IdS3*073 e40ft957 3l3 C e6dl 
O 30l^ dt l hd637lff cdc6&277 ca5d00a3 5c8bQec3 3853B7el bb4cc3fe hOOOtmg 
72de3 0 df5ef8df3e29SfTd 68082aaa 6a368bcl 45251713 7bc3c?56 
e e«f26cc 901f2a7d 25bc2dce ebffOcQS 7c90cl7c 1537017a d7ce«4t)8 
l»7^ o o igc9598c a62cSlQ2 03010001 300d0G09 2a864886 fTQdQlQl 05050003 
1 j 35S^ 77 ffl 2dd664 da39f3b8 37bfac62 8b42c678 17fdaee3 84c6l6G2 qG65alff 
Bl *7C8 79G33Gb4 f4715bbb cl62bdc5 blf5e9fb d321d445 d8cb3559 Od43b3f6 
fif245393el 6c7132c9 6f742e4f lfe4db4B a7020e6c 427e900G bc334cal 
i c 9776eb2 348f9e96 C1505349 4dab88Ga ^4302059 beI414eb 5c76fdec B857a9 

qiitt 

w isaKmp identity address 

'£Zo lkev2 polity 1 

^ cry ptionaes 

integrity sha 

group 5 z 

£me Spends 86400 


I !« client-services and TrustPnint SSL authentication fa r IKEvZ 

ikev2 enable outside client-services port 443 
mpto ikev2 remote-access trustpoint SELF-TP 

crypto ikevl enable outside 


, Cre ate ikevJ isakntp policy 

crvptoikevl policy 10 
authentication pre-share 
encryption 3des 
hash sha 
group 2 

lifetime 86400 


telnet timeout 5 

ssh timeout 5 

console timeout 0 

threat- d etectio n basi c-th reat 

threat-detection statistics access - i $t 

no threat-detect!on statistics tcp-mtercep 
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ssl trust-point SELF-TP outside 

'Setting for the Anyeenneet » f SSL nttd IW»2) 

webvpn 

enable outside „.ujin-l,1-0^^^Z'h^'Pl 1 ® 

anyconne Ct Image tilsny^om . wA SA flash (diSkO) 

{the following XML profiles ^ bi i./iitevipr*™** 1111 
anyone* prOilles '^projIJ <J*^^1 
anyconnect profi ks sslprollte d isMt.f wp 

anyconnect enable 

tu ii nel-grcmp-l 1st enable 

■Conp^treieparau VPN group policies for iaOt <yj>«jf vf N u>er 
tThlsisIhe VPN policy for SSL lm remote access *<* - 

group policy SSl-USEPS-POUcy Internal 

group-policy SSL-USERS-POLICY attributes 

dns-sc overvalue 192 + i6B.l*15 

vpn-tu n ii el ■ p rotoCO I ssl-cl lent ssl ■ clientless 

sp )i t:-|u n nefpol icy lun n elspecifi ed 

spilt tunntl■ network-lift value split-tunnel 

webvpn 

ajiyciitilled keep-installer installed 
anyconnect dpd-interval client 20 
anyconnect profiles value SSlprofUo type user 
anyconnect ask none default any connect 


>This is the VPN policy for IK£v2 VPN remote access users 

group-policy !KEv2-USERS-1*0 UCY internal 
group-policy IKEv 2-USERS-FOLICY attributes 
dns-server value 192-168.1.IS 
vpn-tunnel-protocol ikev2 ssl-cl tent 
s pi i t-tu n n el-p o licy tun nolspecilie d 
split-tunnel-network-list value split-tunnel 
webvpn 

anyconnect keep-installer installed 
anyconnect dpd-interval client 20 
anyconnect profiles value ikev2profile type user 
anyconnect ask none default anyconnect 

!This is the VPN policy fur legacy IKEvl VPN remote access users 

group-policy IKEvt-USERS-POLICY internal 
group-policy IKEvl-USERS-POUCY attributes 
tlns-server value 192.168.1.15 
vpn-tunnel-protocol ikevl 
spllt-tunnel-policy tunnel specified 
split-tu nne I -n e t work-1 i s t value split-tunnel 

/ Create heal users for each type of remote access users 
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c "f"wcA'itVCIsUJIZAA encrypt 

iii^L i>,i-vln«r p.mword *SK tlxp'l|ZF((vrh«Q encrypted 
^ i„« ititv 1 uwr zS'JQ*,.4J7H 1V rh U f) en ^ttd 


u* f 

UJ0 


f3OliLvO) 1 QsXsuK7 encrypted privily is 


jfOTt. 


f Jff , sept*™ 1 # far eat h type of VPN 

r 

n ' cH jrwiP l hl v2rcmoUatcti ” lypc rernote-access 
l* 1 *"2miiP lkev2rcmotea«c*sgeneral attributes 
VPNpool 

J^ r ull , E rQUp-p*U<7 IKKv 2 USEHS-lmrCY 

||C |. fi fOUp IkcvZrcmolcacceas webvpn-attributes 
groUlHill 3 * J*wv2ji*era triable 

/far J.tt 

, p[lc j. fi roup sslremoteacccss type remote-access 
iLncl-group sslremotcaccess general-attributes 
ill ilress'pool VPNporjl 

dcfault-erot^pollcy SSt-tBERWDLICY 

[ Ur ,n<v|^roiip ssl remote access webvpn-attributes 
group-aHa* sslvpn.users enable 

ftorftiCvt VPN 

tunnel group ikevlreitioteaccess type remote-access 
tunnel'group Ikcvlrcmoteacecss general-attributes 
attdress-pool VPKpool 

dcfawlt'group-policy I KEvl-USERS-POLICY 

kmnel-grotip IkevlremoteBccess Jpsec-attributes 
Ikcvl pre-shared-key secretgroupkey 

! 

jjotlier command omitted] 
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16,2.4 Any connect SSL VFftT with 

Authentication 


Microsoft Active Directory 


- ■ wh id i have an J mcrnal Microseft Active 

Tills Is a scenario used frequently fry many entei'pr 1 . , 

Directory (AD) server containing all useis’credential, Instead of c< "’ ns “ 

usernames/pouwonls on .he ASA device for , ut hen.icA..ng.he «»» access esers. yen can use 

.he existing AD * eu then*** .he users wlththeirdoroain account. One impure thing .okeep 

Tnecthe privileges to login,search and 

in mind is that you; muni create an AD user account whet 
retrieve account inform c 










. .."inrimi 


must use a proper userrame which has enough privileges ^ be able to ^rcb/read/looKup users in 
the LDAP server The ASA wiii use this "admin* user account to connect to the AD (whenever d 
remote user tries to authenticate) in order to lookup the remote user credentials and confirm the 
user authentication. 


Corporate LAN 


SSL VPN 
Or 



J,ef s see the configuration below based on the diagram above. 
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\ hoS tna meASA1 

elia blepassword HRy2Yjlyt7Rftj<u 24 enf . r 
i passwd 2KFQnbNIdl.2KYOU CTCry p ted cr *S>'«l 

j names 


1r ,terfa cc G igabltEthemetQ 

rtatneifoutside 

seciirity'level 0 

ip address 20,20,20.2 25S.2S5.2S5.0 

• i 

int( , T face GigabitEtherneU 
Aaiitftf inside 

seruritydevd 100 

ip address 192.168.1.1 25S.2S5 r ZS5,0 

i 

i }f other interfa ce comm ands omitted] 

ftp mode passive 

* 


i 

4 

* 

i 

s 

i 

i 


4 

1 

4 

1 

L 

i 

i 

i 

T 

i 

i 

4 

: 

*r 

■ 

* 

4 

d 

i 

! 


I 

4 

-I 


i 

1 

v 

( 

4 

I 


fnetivo#* tJb/ecfj/or £ fie fomJ LA jv fln rf mv poof 

object network obj-local 
subnet 192.168,1,0 25S.255.2S5.0 
object network obj-vpnpool 
subnet 192.168.5.0 255,255.2 55.0 
object network FOR.PAT 
subnet 192,168.1,0 25S.2SS.2S5 0 


access-list split-lunnd standard permit 192.168,1.0 255.255.255.0 

pager lines 24 
mtu outside 1500 
mtu inside 1500 

jp local pool VPNpool 192.l68,S.l - 192--168.ij.20 mask 255.25 S.Zjj,0 
icmp unreachable rate-limit 1 burst-size 1 
no asdm h is tory enable 
arp timeout 14400 


™ obj-local obj-local destination static obj-vpnpool obj 

vpnpoo] no-proxy-arp route-lookup 

nat (inside,outside) source dynamic FOR.PAT interface 

route outside 0.0.0.0 0.0.0,0 20-20,20-11 

timeout xlate 3 : 00:00 , ft ^.noi™n 0 -O 0'02 

timeout conn 1 : 00:00 half<losed 0 : 10^0 bdpO^OZllOicmp 0 - 00 ^^^ ^ 

timeout sunrpe 0 : 10:00 h 323 0 : 05.00 h 22 ■ sin-disconnect 0 : 02:00 

timeout sip 0 : 30:00 sip media 0 : 02:00 

timeout sip -pro vi sional-media 0 : 02;00 naut 
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timeout tcp-proxy-reasww y 

timeout floating-conn ■ ^ ofitAccessPoUcy ldAP protocol 

dynamic-aecess-pol cy „ internal AAA server u 3 user - a dmin' wh 

•password cisco its AD A/s0 sAHAc 

itree must be obtained from the au 

aaa-server AD-SERVER P rot ° c0 ‘'^ P l92 . 16B .1.20 
aaa-server AD-SERVER (inside) host 1** 

Idap-base-dn dc=mycompany, dc= 

Idap-na^fn^attribute sAMAccountName 

12S33SS-5S-. *• 

server-type microsoft 


with 
base DN 


:com 


user 


-identity default-domain LOCAL 


http redirect outside 80 

no snmp-server location , . cr - rt 

no snmp-server conuct thpntication linkup linkdown coldstart w 

snmp-server enable traps snmp authentication i.mtup 

telnet timeout 5 

ssh timeout 5 

console timeout 0 

threat-detection basic-threat 

threat-detection statistics access-list 

no threat-detection statistics tcp-intercept 


/Configure the SSL WebVPN 

webvpn 
enable outside 

anyconnect image dlskO:/anyconnect 
anyconnect enable 
tunnel-group-list enable 


-win-3.1.03 103-k9.pkg 


1 


roup-policy Anyconnect-Policy internal 
roup-policy Anyconnect-Policy attributes 
ins-server value 192.168.1.15 
rpn-tunnel-protocol ssl-cllent 
;pIit-tunnel-policy tunnelspecified 
;plit-tunnel-network-list value split-tunnel 


webvpn 

anyconnect keep-installer installed 
anyconnect dpd-interval client 20 
anyconnect ask none default anyconnect 
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el & 0U V 


telecom muter* type rt mote-access 


ucdfy thvAV-SkliVlitt cotiftfjurpd abate ay the authentication 
{W rCf . sf _ r0 „ j, tc I ecu m mu L ers jje no ra l -a Ur i buic s 

P co. vi*«nn»] 

j U ^uit-groa p' poJ I cy A ny coil no c Pol I cy 

*1-group telecommuters wehvpn-Mtributes 

gro“l»-» llas sslB r *w , P. U!icrs tnable 

\, 0 tltcrtommattds omtltviil 


server for this tunnel 
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. i * iPCFf VPN between two ASA v/illi 
16.2.5 Special site-to-site iPShC v™ u 

Controlled VPN access 

,. i uc p[~ v] J N jmDSeiflenistion bfitwscn twu 
In this cwftaratipn 5 «nario w» mil discuss a 'PSEC VPH impi= 

... ■ VPN scenario that you find 

A^ devices However, this will iKrt be the da^cal simple 

everywhere «•»!« « 0-of the ate «« Wcte*hte*»te (HQJ 

site with 2 internal network subnets (LANi and UN2] and a DMZ subnet The — site will he a 
remote Branch site aga i r» usi ng Cisco AS A fi rewall as border Intel ne t d ev '' :e ^ ^ 


In a regular si.e-to-site VPN scenario the two will have fiill LAN access between them over the 
VPN tunnel by default Em our special scenario here the remote branch site will have full network 
access only to the HQ D.VZsubnet BUT restricted access to the two internal LAM networks of the HQ 
site, Specifically, the branch site will be allowed to access only a Well Server in Internal LAN 1 of HQ 
and an Email Server in Internal LAN 2 of HQ, 


The above scenario will demonstrate several concepts in addition to the classical site-to-site ASA 
l PSEC VPN configuration. Et will show h ow to pass mu Iti pie n etwo rks i nside a V PN tunnel, how to 
access a DM5: via a VPN, how to restrict VPN traffic to specific hosts and ports etc. 


EMAii, Strrtr 


2.2a 



Let's see the configuration for both ASA devices below: 
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£1031110 ASA 1 


ItJtlrtS 

interface Gigabit Ethernet*! 



interface GtgabUlitHmK'l t 
namcLfUiskte 

j^eUy'levol I HO 

ntldrcss 10-0.0.2 255.255^55.11 


i 


interface Glfia bit E 1 1 to r n ct2 

namdf dim 
security'level 50 

Ip address L72.16.1,t 255,255.255.0 


i 

i 


i/blber intetfare tammamh omitted} 


ftp mode passive 

ffrente jidnwfc objects for the hr til nnd remote LANs: 

obfecl network LAN l 
subnet 192.168,1.0 255,255,255.0 
»b] ect net wo r k LA N 2 
subnet 192.168.2.0 255.255.255.0 
object network DMZ-LAN 
■ subnet 172,16,1,0 255,255,255,0 
, object network obj-remote 
f subnet 192.168.10.0 255.255.255,0 

i 

i lErvatc A CL to mo tch th e VPN traffic you want to encrypt 

access-list VPN-ACL extended permit Ip 192,168.1,0 255 . 255 . 255.0 192.168.10,0 
i 1S5J2S5.255,0 

ac-cess-list VPN-ACL extended permit Ip 192,168.2,0 255.255,255.0 192,163.10.0 

; 255.255.255.0 

’'cress-list VPN-ACL extended permit Ip 172.16,1-0 255.255,255.0192,168,10,0 
i ^5-255,255.0 


*«' tside A Cl m ust explicitly allow IPSEC VPN protocols (ESP, A H, is a km p) and a Iso alio w 
qcrcjs from i emotfi t a n tn n a rz nnd to 1Vj? 5 Server and Em ail Server 
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-list outside in extended permit ip 192.1*8.10 


□ CCC.H5 

2SS.2SS.2S 5-0 


,Q Z S 5-2 55.255 0 1 , 73 . 16 . 1,0 


-list outside Jn extended permit tep 192-166 


access 
<30 

access-list outsidejn extended permit lep 192-168 

2S 


. 10.0 255.255 2 S 5.0 host 182 . 160 . 1.10 eq 
.10 0 255.255.255-0 host 193-168.2 20 eq 


pager lines 24 
rritu outside 1300 
mtu inside 1500 
mtu dm2 1500 

iemp tmreachabJe rate-limit l burst-size 1 
no astfm history enable 
arp timeout 14400 

static obj-re mote nbj-remote 
static obj'remote obj remote 
latiofl static obj-remote obj-remote 

a cress -group ou ts id ftJ n in in terfaee outs id e 
route outside 0,0.0.0 0,0.0,0 20.20.20.1 1 
route inside I92.lfi8.l 0 255-255-255-0 10,0.0,1 1 
route Inside 192.168,2.0 235,255.255.0 10-0.0.1 1 
timeout xiate 3-00:00 

timeout conn 1:00:00 half-dosed 0:10:00 udp 0:02:00 iemp 0:00:02 

timeout sunrpe 0:10:00 h323 0:05:00 h225 1:00:00 rlgcp 0:05:00 mgep-pat 0:05:00 

timeout sip 0:30:00 sip_mecUa 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 

timeout sip-provisional-media 0:02:00 uaath 0:05 :00 absolute 

ti meout tep-p roxy-rea ssembly 0:01:00 

timeout floating-conn 0:00:00 

dynamic-a«*$$-poJicy-recond DfltA ccess Policy 

user-identity default-domain LOCAL 

no snmp-server location 

no srtmp-server contact 

snmp-server enable traps snmp a utbenti cation linkup (inkdown cold start warm start 


'Create the required WAT Exemptions for VPN traffic 

natfinstde.outside) source staticLAN1 LAM destination 
nat (fnside,ouL\idE:) $ource static LAN2 1AN2 destination 
nat (dmz.nut.sidej source static DMZ-LAW 0MZ-IAN dftstii 


■'This command is important it disables the mechanism to automatically allow all VPN traffic, 
iso that you can contra! which VPN traffic you want to afhw with the outside ACL 
no sysop t co n n ection p enmit-vp a 

iThe following commands configure IKEvl IPS EC VPN parameters 

crypto fpsecDttlrl transform-set TR^ETesp-aesesp-sha-hmac 


crypto map VPN MAP 10 match address VPN-ACL 

crypto map VPNMAP 10 set peer 30 - 30 , 30.2 

crypto map VPNMAP iOset ikevl transform -so tTRSET 
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crypto map VPNMap hit 




t>rfuc* 

crypto Isakmp identity address 
crypto ikcvl enable outside 

cry pto i be vl policy 10 
a«tlcatlt> n pre-share 
encryption aes 
hush sha 
group - 

lifetime 06400 

telnet timeout 5 

ss h timeout 5 

console timeout 0 

tli reat-d election basi othreat 

threat-detection statistics access-list 

no threat-detection statistics tep-interrept 

tunnekgroup 30.30.30.2 type Ip seed 21 

tunnel group 30.30.30.2 I psoc-at tributes 

ikevl pre-s ha red-key secret key I 

i 

I 

father commands omitted} 


ASA2 (llnnuli Site] 

hostname ASA2 

enable password 0Ry2Yjlyt7RRXU24 encrypted 
passwd 2KFQnbNldl.2KYOU encrypted 
names 


interface GlgabltEthernctO 
namcif outside 
security-level 0 

Ip address 30.30.30.2 255.255,255,0 

i 

interface Gigabit Ethernet! 
nameif inside 
security-level 100 

tp address 192.163.10.1 255,255.255.0 


'Ij'hi’ruucrjacc commands unfitted] 


^Pmode- passive 

f reofc* neficork objects for the beat anti remote IAS's 

“■W network LAN1 

Subnet 102,163.1.0 255*255,255.0 
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obj cct network LANZ 

subnet 10Z.16H.2 0 255.2SS.2 Sj 0 

object network pMZ-iAM 

subnet 172 . 16-10 2S5 2S5.2S5.0 

object network obj Coca! 

SSM2™ksSSS3^»“ 

aeccss-U St V PN ACL extended perm ip 

2SS.255.25S O So 192 2SS ^ SS-2 

access-listVPN'ACL extended permit lj> 

2S5.ZSS.25S 0 ... t o? 160 10-0 25S.255.255,0 

jccess-IEst VPN-ACL extended permit Ip 1 

2S5.ZSS.255.tl 


192.1651.0 
192.168,2.0 

172-16-1 -0 


pager lines 2+ 
mtu outside 1500 
mtu inside 1500 

fiiIu dim 1500 

iemp unreachable rate-limit 1 burst-size 1 
no asdm bistory enable 
arp timeout 14*00 


fCreate the required NA T Exemptions for VPN traffic 

nat (Inside,outside) source static obj local °bp °ca fa* * 
nat (inside.oulslde) source static obj-local obj lmu dest - 
uat (Enside,outsido) source static obj■ local obj-tocaI de 


static LAN1 LA^l 
static LANZ LANZ 
static DMZ-LAN DMZ-LAN 


route outside 0.O.O.O 0,0-0.0 30.30-30.11 


timeout xiate 3:00:00 

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 iemp 0:00:0^ 
timeoutsunrpe 0:10:00 h323 0:05:00 h225 1:00:00 mgqj 0:05:00 mgtp- 
timeout Sip 0;30:00 sip.mcdia 0:02:0 Os ip-invite 0:03:00 sip-discormect 
timeout sip-pm-visionaj-media 0:02:00 uauth 0:05:00 absolute 


pat 0:05:00 
0 : 02:00 


timeout tep-proxy-reassembly 0:01:00 


timeout floating-ccmn 0:00:00 


dyjiam itr-access-policy-record DfltAccessPol icy 


user-identity default-domain LOCAL 
no sump-server location 
no sump-server contact 

sump-server enable traps snmp authentication linkup linkdown coldstart warm start 


JThe following commands canffgure IKEvl IPSEC VPN parameters 

ciypto ip sec ikevj transform-set TRSET esp-aes esp-sha-hmac 
crypto map VPNMAF 10 match address VPN-ACL 
crypto map VPNMAP ID set peer 20,20,20.2 
crypto map VPNMAP 10 set ikevl transform-set TRSET 
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map VPNMAV lWcrfucv imtsUle 



^.td ikcvi polity ui 

aiUienUCJUon pre-share 

rncr)T ,i0 “ aes 

hjihsl* 3 

*feUWC8S400 

trint't timeouts 

ssh timeout 5 

insole timeout 0 
threat-detection basic-threat 
threat-detection statistics access-list 
AO threat-detection statistics tep-intercept 

tunnel-gro u P 20.20,20,2 type ipsce-lZl 
tunnel-group 20.20,20,2 tpse c-attributes 
ikevl pre-shared-key secretkey t 


! [other commands omittedl 


i 
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16.3 General Configuration Examples 
16.3.1 ASA Firewall with l>MZ and two llltel njl 

rt-.wwwrio we win Illustrate sn ASA SSM a*. •« 

tone*. One On,.,* one PM*..- - ■— 1 ^ " 0 Id 

implemented on Hie same physical Interface fCeO/J) us‘"e two sublnter nc ^ HA _ - 

GeO/l.ZO). The »MZ zone will Host a Web Server and an Email Server. We w. use 

the PM* servers to translate their private IP addresses «p-ts.tc (Static NAT lor prelate I. 10 .0, 

_ rt nn , tn llf ,yicip ] 00.1,1.3)-Also wewill 
to public IP 100,1.1.2 and Static NAT for private IP 10,0.0,3 to \m 

. „ . i w in he alLowed to access only 

Impose traffic restrictions to the two Internal Zones. Inside - 

Web and Email, and Inside! users will have unrestricted Internet access. 


10,0.0.2 10.0,0-3 



Let's seethe complete configuration below, The commands with Bold are important 


19 2 . 166 . 2 . 0 / 2 - 
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show run 

. KiiVlHl 

h ^ 


sv, 


Ltitame ASA-5500 
1 ,„„iaiii- | um [ ' test.com 

password xxxxxxxxwixxxxkxx encrypted 

'. ififmc GlgabltEtliometO/O 

CONNECTION TO OUTSIDE INTERNET 

100 

.Ini'll to" 

lW liu.4f outside 
.Muitiylove' o 

jp address 1001.1.1 255 . 255 . 255,0 

| p sl , ihtf same Physical Interface GeO/1 to create two internal zones using VIans 

j n lcr fiice G Iga bt tE tli er iretO /1 

no itaincif 
n o security level 

H ii ip address 

! ntcrfiice Gigabit Ether netO/1*10 

description connection TO inside 1 

vlan 10 

naiiieifitisidel 

security-level 00 

Ip address 192,168,1-1255.255,255*0 

I 

Interface GlgabItEthernetO/1.2Q 

description CONNECTION TO INSIDE 2 

vlail 20 

naindflnshlei 

security* level 90 

Ip address 192.168.2.1 255.255.2S5.0 

I 

inter Care Gigabit Ethernet 0/2 
description CONNECTIO N TO DM2 
uanteif DMZ 

security-level SO 

tp address 10,0.0*1 25 5.2 5 5.255-0 


:e GigabitEtfoernetO/3 
iwn 


tietf 

urity 4evel 
iddress 








interface ManaRumentO/O 
shutdown 
no nameif 
no security-level 
no rip address 

i 

banner motd "WARNING** 

banner mold Unauthorised access prohibited. All access is 

banner mold monitored, and trespassers shall be prosecuted 

banner motd lo the fullest extent of the law. 

no ftp mode passive 

dns server-group DefaultDNJj 

domain-natne test.com 


[Create -i service object with die Web Potts 

object-group service WEB-POETS tep 
port-object eq 00 
port-object eq 443 


' Allow access from Internet to our Web Server and Email Server. Notice _ WFB-PORTfi 

access-listOUTSID^JN extended permit tep any host 10-0.0,2 ohject-gr p 
access-list OUTSIDEJN extended permit tep any host 10.0.0.3 eq 25 


! inside! zone is only allowed to access web and email 

access-list INSIDElJhl extended permit tep 192.166,1-0 255.255,25 5- any q 
access-list INSIDE! JN extended permit lep 192.166.1.0 255,255.255-0 any ^ 1 1- 
accessdist INSIDE1JN extended permit tep 1 92.168,1.0 255.255.255.0 any eq sm p 
access-list INSJDE1JN extended permit tep 192.160-1-0 255255-255,0 any eq pops 
access-list INS1PE1JN extended permit udp 192,168.1,0 25S,25S.255-0 any eq dns 


' Inside2 zone is allowed to access all protocols 

access-list INSIDEZJN extended permit rip 192,168.2,0 255.255,255-0 any 

[ Do PAT on the Outside and DM2 interfaces for internal hosts 

object network iHilemaHanl_outsLde 
subnet 192.168,1,0 255255.255.0 
nat (inside 1,outside) dynamic interface 

object network internal Jan l^dmz 
subnet 192,168.1,0 2S5-25S.255.0 
nat (insfdeLDMZ) dynamic interface 

object network Interna I Jan2jjutslde 
subnet 192.168-2,0 255.255-255.0 
nat (inside2,outside) dynamic interface 






object nelviork tiUernaU^n^iliuz 
subnet 19'JM68£*Q 255,255/255,0 
nat (tinstdc^DMZ) dynamic Interface 

1 Civile permanent static NAT mapping fm one DM7 seiners, 
ob j cct n o Uv o tie wohjdn i t t c 

host 10.0,0,2 

nat (DMZ.outsUle) static 100.1,1.2 

object network emails talk 
host 10,0,0,3 

nat tDMtjOutsUlc) stalk 100.1.1.3 


* Apply ACLs cm the proper interfaces 

access-group QUTS1DEJN in Interface outside 
access-group INSIDE MN hi Interface Inside 1 
access-group INS1DE2JN in interface Inside? 

route outside 0,0 0.0 0.Q.O,0 100.1,1.10 1 


[create local user for firewall administration 

username admin password secrctpass privilege 15 

aaa authentication serial console LOCAL 
aaa authentication ssh console LOCAL 
aaa authentication telnet console LOCAL 

1 Allow ssh from zone inside! 

ssh 192.160.1.0 2S5.2S5.255.0 insidel 

ssh timeout 20 

ssh version 2 

console timeout 0 
! 

’[other commands omitted),.. 
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- ftr* Websites with Cisco ASA 

16.3.2 How to filock Access to spe 

enrific website*. However, it is 

The ASA can provide a simple solution for are a few mfthfrds to block 

NOT a replacement for a full-featured URL filtering - _ ’ freyex] together With Modular 

access to websites. These methods include regu are;P . ajl j hloekinB with ant ^ usm ® 1 

Polity Framework(MPFJ, finding the lp ■ wjtf , KT j P websites but it will not 

FQON in an ACL. The first method {rege* with MPT) wer the jp with ACL) will work only 

work at all if the website uses flTTPs. The second |" e “57ii™it to J ork far dynamic websites (such 
for simple websites which have a static JP but it wl e _ c« e s which change all the time, The 
as l-acobook. Twitter etc) which have many different IP ^dres^ whK - 
third method (using FQDN in an ACL) Is the one which we will desen 

_ i hcm fACLl can coiJtaili art object which 

From ASA version 8.4[2) and later Access Control Uses lA 1 * } g.llow 1 or deny access 

represents a Fully Qualified Domain Name [FQ0N).SoJn5»de an^ (before deny access to 
to hosts using their FQDN name instead of their IF address. You «n - ftnfboo|tCDm - j ns ide the 
website www.fecebook.cam by denying access to Fqnh ubjec ' wj]| dynamically insert 

ACL The ASA will need to resolve alt possible lp *"”■*"ff *^J® e you must s t iecify wbat DNS 
several deny IP’ entries for these IF addresses in the ACL, Tliereior J 
server the ASA cart use in order to resolve IP addresses for the FQDNs, 

In our example network below, we want to restrict access to www.WGbsfte.COin J^olves to 

IF address 2222, The ASA will use the internal DNS server (or any other DNS) to resotve tho IP and 

pul a *deny IP" entry fn the in bound ACt appl ted on the ’ r inside rt interface. 
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kpgtnanie A^" 1 

ni-iiii'itniHc niyconipany.cani 
1 ? blL‘ password fm y 2YjIyt7RRXU24 encrypted 
L '^ sWl j 2 KFQnlJNldMKYOU encryp ted 

lining 


Interfax GlgabitEtheriietO 
fl amdfo«W We 
securer**™ 10 


i(i ^ 


Idress 20.20.20 :i 2S5.Z55.25S.0 


I 

m te rface G igiX bltEt h cruet i 
liam eif Inside 
security-level 100 
jp address 192 p168-1.1 

[ 

ifothtff interface commands omitted] 


l 

Hp mode passive 


iSpedjy which DNS server to use for resolving FQDN domains. 

dns domain-lookup inside 
A „c cerver^roui) DefaultDNS 
name-server 192,168.1,20 
do m ain -na me mycompa ny, co m 

iCreptC FQDN objects for ivefesJte we wont to Wock. Block both the www and noit-www domains 
object network Qbj-www.wehsite.com 
fi|dn www.websitc.com 


object network obJ-website.com 
fqdn wcbsiic.com 

!Add the FQDN objects above to an ACL applied inbound on the inside interface 

access-list INSIDE'IN extended deny ip any object oh j-www web site, com 
access-list INSIDE-IN extended deny ip any object obj-website.com 
access-list INSlDEdN extended permit ip any any 

lApptyiheACL above to the inside interface 

access-group [NS1DE-IN in interface inside 

![other comma nds om ittedj 
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Conclusion: 


, Irt thia Hjw t I'm confident that you WiSl be 

Uyvu have studied carefully t he information presented in ^ 

abk to tackle the most common ASA configuration scenarios that yo u wi en co a ^ 

professional career. The purpose of this Book was to provide you the Foun ati o 

j . fi r( iu 1 , a[Ss in the market, the Cisco 

denning and implntientingniwt^rthe most pepular har "* 

Adaptive Security Appliance 1 know that the features, concepts and configure on apt \ i 

. i ,* nrMen ted here. However with the 
the Cisco AJ»A Firewall supports are much more than w hat i- p 

foundation base that this Book provided you, it f s flirty easy from now on to " P > 
knowledge with extra i nformotion provided from other Cisco d ticu ments fa r 1 .1 e 


Again* thank you for purchasing and reading this Book It has been a pleasure writing this 
handbook and i realty hope that you have enjoyed it as wetl- 


Vuy can check out my Networking related Blog htta;/ Aviv w n ewo rk^ining-rfim for more 
technical tips and tutorials about Cisco products and solutions. You can also register your email 
address at my Blog above in order to receive news and updates about my books and other Cisco 
technical tips, 


I will he glad to answer any questions you may have at adnir n ehvor f tra inir r j.co:': 


GOOD LUCK TO YOUR PROFESSIONAL CAREER 
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139,276 
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